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Abstract 

We propose a simple timed broadcasting process calculus for modelling wireless net- 
work protocols. The operational semantics of our calculus is given in terms of a labelled 
transition semantics which is used to derive a standard (weak) bi- simulation theory. Based 
on our simulation theory, we reformulate Gorrieri and Martinelli's timed Generalized Non- 
Deducibility on Compositions {tGNDC) scheme, a well-known general framework for the 
definition of timed properties of security protocols. We use tGNDC to perform a semantic 
analysis of three well-known key management protocols for wireless sensor networks: 
juTESLA, LEAP+ and LiSP. As a main result, we provide a number of attacks to these 
protocols which, to our knowledge, have not yet appeared in the literature. 

1 Introduction 

Wireless sensors are small and cheap devices powered by low-energy batteries, equipped with 
radio transceivers, and responding to physical stimuli, such as pressure, magnetism and mo- 
tion, by emitting radio signals. Such devices are featured with resource constraints (involving 
power, storage and computation) and low transmission rates. Wireless sensor networks (WSNs) 
are large-scale networks of sensor nodes deployed in strategic areas to gather data. Sensor 
nodes collaborate using wireless communications with an asymmetric many-to-one data trans- 
fer model. Typically, they send their sensed events or data to a specific node, called sink 
node or base station, which collects the requested information. WSNs are primarily designed 
for monitoring environments that humans cannot easily reach (e.g., motion, target tracking, fire 
detection, chemicals, temperature); they are used as embedded systems (e.g., biomedical sensor 
engineering, smart homes) or mobile applications (e.g., when attached to robots, soldiers, or 
vehicles). 

An important issue in WSNs is network security: Sensor nodes are vulnerable to several 
kinds of threats and risks. Unlike wired networks, wireless devices use radio frequency chan- 
nels to broadcast their messages. An adversary can compromise a sensor node, alter the in- 
tegrity of the data, eavesdrop on messages, inject fake messages, and waste network resource. 
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Thus, one of the challenges in developing trustworthy WSNs is to provide high-security fea- 
tures with limited resources. 

Generally, in order to have a secure communication between two (or more) parties, a se- 
cure association must be established by sharing a secret. This secret must be created, distributed 
and updated by one (or more) entity and it is often represented by the knowledge of a crypto- 
graphic key. The management of such cryptographic keys is the core of any security protocol. 
Due to resource limitations, all key management protocols for WSNs, such as //TESLA l32l . 
LiSP [311, LEAP [431, PEBL [5 ] and INF fl], are based on symmetric cryptography rather than 
heavy public -key schemes, such as Difhe-Heilman [7] and RSA ll34l . 

In this paper, we adopt a process calculus approach to formalise and verify real-world 
key management protocols for WSNs. A process calculus is a formal and concise language 
that allows us to express system behaviour in the form of a process term. In the last years, 
a number of distributed process calculi have been proposed for modelling different aspects 
of wireless systems EH HH [35l [J4l [10l [25l [13]|. Except for EH, none of these calculi 
performs any security analysis. On the other hand, some process algebras, such as CryptoCCS 
and tCryptoSPA [15] have already been used in Ifl31[l6l to study network security protocols, 
also in a wireless scenario. These calculi are extensions of Milner's CCS ll26l . where node 
distribution, local broadcast communication, and message loss are codified in terms of point- 
to-point transmission and a (discrete) notion of time. 

We propose a simple timed broadcasting process calculus, called aTCWS, for modelling 
wireless network protocols. Our broadcast communications span over a limited area, called 
transmission range. The time model we use is known as the fictitious clock approach (see 
e.g. El): A global clock is supposed to be updated whenever all nodes agree on this, by 
globally synchronising on a special timing action crQ Both transmission and internal actions 
are assumed to take no time. This is a reasonable assumption whenever the duration of those 
actions is negligible with respect to the chosen time unit. The operational semantics of our 
calculus is given in terms of a labelled transition semantics in the SOS style of Plotkin. The 
calculus enjoys standard time properties, such as: time determinism, maximal progress and 
patience ifTTl . The labelled transition semantics is then used to derive a standard (weak) bi- 
simulation theory. 

Based on our simulation theory, we reformulate Gorrieri and Martinelli's timed Gener- 
alized Non-Deducibility on Compositions (tGNDC) scheme HU HH, a well-known general 
framework for the definition of timed security properties. We concentrate on two particular 
timed security properties expressed as instances of tGNDC: timed integrity, which guarantees 
on the freshness of authenticated packets; and timed agreement, for which agreement between 
two parties must be reached within a certain deadline. A nice aspect of these two properties is 
that whenever they do not hold then it is possible to build a specific attacker that invalidates 
the property under examination. 

We use our calculus to provide a formal specification of three well-known key management 
protocols for WSNs: (i) //TESLA |[32l . which achieves authenticated broadcast; (ii) the Loc- 
alized Encryption and Authentication Protocol, LEAP+ fl43l . intended for large-scale wireless 

'Time synchronisation relies on the presence of some clock synchronisation protocol for sensor networks 1371 . 
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Table 1 Syntax of aTCWS. 



Networks: 
M,N ::= 



empty network 
parallel composition 
node 



Mi | M 2 
n[P] v 



Processes: 



P,Q ::= nil 



termination 



\(u).P 

n( X ).p]Q 

IZielT.PilQ 



broadcast 



receiver with timeout 



internal choice with timeout 



o-.P 

[wi = u 2 ]P; Q 

[ui ... u n H r x]P; Q 

H(u) 



sleep 
matching 
deduction 
guarded recursion 



sensor networks; (iii) the Lightweight Security Protocol, LiSP 11311 , that, through an efficient 
mechanism of re-keying, provides a good trade-off between resource consumption and network 
security. 

As a main result of the paper, we formally prove that the bootstrapping phase of //TESLA 
enjoys the timed integrity property, while it does not satisfy timed agreement as it is ex- 
posed to a replay attack. Once bootstrapping is terminated, the core of the protocol, i.e. the 
authenticated-broadcast phase, enjoys both timed integrity and timed agreement. Then, we 
prove that the single-hop pairwise shared key mechanism of LEAP+ enjoys timed integrity, 
while it does not respect timed agreement due to the presence of another replay attack, des- 
pite the security assessment of [43 ]. Finally, we prove that the LiSP protocol does not satisfy 
neither timed integrity nor timed agreement. Again, our proof relies on the exhibition of a 
replay attack to the protocol. To our knowledge all these attacks are new and they have not yet 
appeared in the literature. 

We end this introduction with an outline of the paper. In Section |2j we provide syntax, 
operational semantics and behavioural semantics of aTCWS. In the same section we prove that 
our calculus enjoys time determinism, maximal progress and patience. In Section |3l we adapt 
Gorrieri and Martinelli's tGNDC framework to aTCWS. In Sections |U [5] and [6] we provide a 
security analysis of the three key management protocols mentioned above. The paper ends 
with a section on conclusions, future and related work. 



In Table [Q we provide the syntax of our applied Timed Calculus for Wireless Systems, in 
short aTCWS, in a two-level structure: A lower one for processes and an upper one for networks. 



2 The Calculus 
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We assume a set Nds of logical node names, ranged over by letters m, n. Var is the set of 
variables, ranged over by x, y, z. We define Val to be the set of values, and Msg to be the set of 
messages, i.e., closed values that do not contain variables. Letters u,u\ . . . range over Val, and 
v,w ... range over Msg. We assume a class of message constructors ranged over by F'. 

Both syntax and operational semantics of aTCWS are parametric with respect to a given 
decidable inference system, i.e. a set of rules to model operations on messages by using con- 
structors. For instance, the rules 

wi w 2 ... pair(wi,w 2 ) pair(wi,w 2 ) 

(pair) — — (fst) (snd) 

pair(wi, W2) w\ W2 

allow us to deal with pairs of values. We write wi . . . m>u \- r wq to denote an application of rule 
r to the closed values w\ . . . Wk to infer wq. Given an inference system, the deduction function 
D : 2 Msg — > 2 Msg associates a (finite) set <p of messages to the set D((p) of messages that can be 
deduced from (p, by applying instances of the rules of the inference system. 

In aTCWS, networks are collections of nodes (which represent devices) running in parallel 
and using a unique common channel to communicate with each other. All nodes are assumed 
to have the same transmission range (this is a quite common assumption in models for sensor 
networks [27]). The communication paradigm is local broadcast: only nodes located in the 
range of the transmitter may receive data. We write n[P] y for a node named n (the device 
network address) executing the sequential process P. The tag v contains (the names of) the 
neighbours of n (v c Nds). In other words, v contains all nodes in the transmission cell of n 
(except n itself), thus modelling the network topology^ For simplicity, when v - [m] we will 
omit parentheses. Our wireless networks have a fixed topology as node mobility is not relevant 
to most sensor networks. Moreover, nodes cannot be created or destroyed. 

Processes are sequential and live within the nodes. We let Pre be the set of all possible 
processes. We write nil to denote the skip process. The sender process \{w).P allows to broad- 
cast the message w, the continuation being P. The process l?(x).P}Q denotes a receiver with 
timeout. Upon successful reception, the variable x of P is instantiated with the received mes- 
sage. The process [ Tjiei T -Pi\Q denotes internal choice with timeout. The process cr.P models 
sleeping for the current time slot. The process [w\ = W2]P; Q is the standard "if then else" 
construct: it behaves as P if w\ - w%, and as Q otherwise. The process [wi . . . wt \- r x]P; Q 
is the inference construct. It tries to infer a message w from the premises w\ . . .Wk through 
an application of rule r; if it succeeds, then it behaves as P (where w replaces x), otherwise it 
behaves as Q. 

In the processes \(w).P, l^(x).P\Q, [lZiei T -Pi\Q an d o~.Q, the occurrences of P, Pj and Q 
are said to be guarded; the occurrences of Q are also said to be time-guarded. In the processes 
l?(x).P\Q and \w\ . . .w n \- r x]P the variable x is said to be bound in P. A variable which is 
not bound is said to be. free. We adopt the standard notion of a-conversion on bound variables 
and we identify processes up to or-conversion. We assume there are no free variables in our 
networks. The absence of free variables will be maintained as networks evolve. We write 
{ W / X }P for the substitution of the variable x with the message w in P. 

2 We could have represented the topology in terms of a restriction operator a la CCS on node names; we have 
preferred our notation to keep at hand the neighbours of a node. 



4 



In order to deal with (guarded) recursion, we assume a set Prclds of process identifiers 
ranged over by H, H\, H2 . ■ ., and we write H(w\, . . . ,Wk) to denote a process denned via an 

def 

equation H(x\ , . . . , Xk) - P, where (i) the tuple xi Xk contains all the variables that 

appear free in P, and (ii) P contains only guarded occurrences of the process identifiers, such 
as H itself. We say that recursion is time-guarded if P contains only time-guarded occurrences 
of the process identifiers. We write Prc wl for the set of processes in which summations are 
finite-indexed and recursive definitions are time-guarded. 

Remark 2.1 The recursion construct allows us to define persistent listeners, i.e., receivers 

def 

which wait indefinitely for an incoming message, as Rev = [ c !(x).P]Rcv; similarly, internal 

def 

choice (without timeout) can be defined as Sum = L2ie/ T.Pj\Sum. 

We report some notational conventions. We write Yliei M to mean the parallel composition 
of all Mi, for i e /. We identify Yliei Mj = if / = 0. The process [w\ = W2W is an abbreviation 
for [wi - W2W; nil. Similarly, we will write [wi . . . w„ v r x]P to mean [wi . . . w n \- r x]P; nil. 

In the sequel, we will make use of a standard notion of structural congruence to abstract 
over processes that differ for minor syntactic differences. 

Definition 2.2 Structural congruence over networks, written =, is defined as the smallest equi- 
valence relation, preserved by parallel composition, which is a commutative monoid with re- 
spect to parallel composition and internal choice, and for which n[H(w)] v — n[{ w /^}P] y , if 

H(x) ^ P. 

Here, we provide some definitions that will be useful in the remainder of the paper. Given 
a network M, nds (M) returns the node names of M. More formally: 

nds(O) = f 0; nds(«[P] y ) d = {n} ; nds(M 1 \M 2 ) d = nds (Mi) u nds(M 2 ) . 

For m € nds (M), the function ngh(m, M) returns the set of the neighbours of m in M. Thus, if 
M - m[P] v I N then ngh(m, M) = v. We write Env (M) to mean all the nodes of the environ- 

def 

ment reachable by the network M. Formally: Env (M) - U ment j S (M) ngh(m, M) \ nds (M). 

The syntax provided in Table[T]allows us to derive networks which are somehow ill-formed. 
The following definition identifies well-formed networks. Basically, it (i) rules out networks 
containing two nodes with the same name; (ii) imposes symmetric neighbouring relations (we 
recall that all nodes have the same transmission range); (iii) imposes network connectivity to 
allow clock synchronisation. 

Definition 2.3 (Well-formedness) M is said to be well-formed if 

• whenever M = N \ m\\P i] Vl | m2[P2Y 2 then mi ± m 2 

• whenever M = N \ m\[P i] Vl | m2\PiY 2 , with m\ e v% then m2 e vi 

• for all m,n e nds(M) there are m\, . . . ,m^ e nds(M), such that m=m\, n=m/ c , m ( e 
ngU(m i+ i,M),for \<i<k-\. 

We let Net be the set of well-formed networks. Henceforth, we will always work with networks 
in Net. 



5 



Table 2 LTS - Transmissions, internal actions and time passing. 



(Snd) 



_. . , . m\w>v r . 

m[\(w).PY > m[P] v 



(Rev) 



m e v 



nmx)-P\QY n[{ w / x }PY 



(RcvEnb) 



m <£ nds(Af) 



M > M 



(RcvPar) 



/77 ?W /77 7W 

A/ » M' N > N' 

M I N M' I TV' 



(Beast) 



m!w>y m?w , , .... 

M >M' N > /V := v\nds(/Y) 



Af I 7Y ^ Af ' I N 



(Tau) 



/!£/ 



'"[LZ !e /^Je] v ^m[p h y 



(TauPar) 



M — > M' 
M\N Af ' I /V 



(cr-nil) 



«[nil] y — > «[nil] v 



(Sleep) 



«[cr.P] v > ntP] 1 ^ 



(cr-Rcv) 



(cr-Par) 



n[l?(x).P\QY n[Qf 

M -£* M' N -^N' 
M\N -^M'\N' 



(cr-Sum) 



(o--0) 



o^o 



2.1 Labelled Transition Semantics 

In Table |2] we provide a Labelled Transition System (LTS) for aTCWS in the SOS style of 
Plotkin. Intuitively, the computation proceeds in lock-step: between every global synchronisa- 
tion all nodes proceeds asynchronously by performing actions with no duration, which repres- 
ent either broadcast or input or internal actions. Communication proceeds even if there are no 
listeners: Transmission is a non-blocking action. Moreover, communication is lossy as some 
receivers within the range of the transmitter might not receive the message. This may be due 
to several reasons such as signal interferences or the presence of obstacles. 

The metavariable A ranges over the set of labels {T,o~,m\w>v,mlw\ denoting internal ac- 
tion, time passing, broadcasting and reception. Let us comment on the transition rules of 
Table [2] In rule (Snd) a sender m dispatches a message w to its neighbours v, and then contin- 
ues as P. In rule (Rev) a receiver n gets a message w coming from a neighbour node m, and 
then evolves into process P, where all the occurrences of the variable x are replaced with w. 
If no message is received in the current time slot, a timeout fires and the node n will continue 
with process Q, according to the rule (cr-Rcv). The rule (RcvPar) models the composition of 
two networks receiving the same message from the same transmitter. Rule (RcvEnb) says that 
every node can synchronise with an external transmitter m. Notice that a node n\\J{x).P\Q\ v 
might execute rule (RcvEnb) instead of rule (Rev). This is because a potential receiver may 
miss a message for several reasons (internal misbehaving, interferences, weak radio signal, 
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Table 3 LTS - Matching, recursion and deduction 



™ , n[P] v -±> n[P'] v m , n[Q] v -±> n[Q'f m * w 2 
(Then) j (Else) j 



n[[w = w]P; Q] v — > n[P'Y n[[ Wl = w 2 ]P; QY — > n[Q'f 

n[{w/x}P] v ^ n[P'] v H{x) g P 
(Rec) j 

n[H(w)] v — > n[P'] v 

(DedTrue) -j 

n[[wu..w n h rX ]P;Q] v — » n[P'f 

m „ , , «[G1 V n[GT 3 w. wi • ■ ■ w n v r w 
(DedFalse) j 

n[[ Wl ...w n h r x]P;QY — > n[Q'Y 



etc); in this manner we model message loss. Rule (Beast) models the propagation of messages 
on the broadcast channel. Note that this rule looses track of the neighbours of m that are in 
N. Thus, in the label m\wt>v the set v always contains the neighbours of m which can receive 
the message w. Rule (Tau) models local computations within a node due to a nondetermin- 
istic internal choice. Rule (TauPar) propagates internal computations on parallel components. 
The remaining rules model the passage of time. Rule (Sleep) models sleeping for one time 
slot. Rules (cr-nil) and (cr-0) are straightforward. Rule (cr-Rcv) models timeout on receivers, 
and similarly rule (cr-Sum) describes timeout on internal activities. Rule (cr-Par) models time 
synchronisation between parallel components. Rules (Beast) and (TauPar) have their symmetric 
counterparts. Table[3]reports the straightforward rules for nodes containing matching, recursion 
or deduction. 

Below, we report a number of basic properties of our LTS. 
Proposition 2.4 Let M, M\ and M 2 be well-formed networks. 

1. m £ nds (M) if and only if M — : — > N, for some network N. 

2. Mi | M 2 > N if and only if there are N\ and N 2 such that Mi > N\, M 2 > 

N 2 with N = Ni | N 2 . 

m\w>fi 

3. If M > M' then M = m[l(w).PY I N, for some m, v, P and N such that 

m[\{w).PY mlw>V > m[P]\ N N', M' = m[P] v \ N' and /u = v \ nds(/V). 

4. //Af — » M' then M = m[[ £ i€l t.P^QY I N, for some m, v, Pi, Q and N such that 
m[[ Z i€l T.Pi\QY -A m[P h Y, for some h e /, and M' = m[P h Y I N. 

5. Mi | M 2 N if and only if there are Ni and N 2 such that Mi Ni, M 2 N 2 
and N = Ni\ N 2 . 
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As the topology of our networks is static and nodes cannot be created or destroyed, it is 
easy to prove the following result. 

Proposition 2.5 (Well-formedness preservation) Let Mbea well-formed network. IfM —> 
M' then M' is a well-formed network. 

Proof By induction on the derivation of the transition M M' . □ 



2.2 Time properties 

Our calculus aTCWS enjoys some desirable time properties. Here, we outline the most signific- 
ant ones. Proposition 12.61 formalises the deterministic nature of time passing: a network can 
reach at most one new state by executing a cr-action. 

Proposition 2.6 (Time Determinism) If M is a well-formed network with M M' and 
M -^-> M" , then M' and M" are syntactically the same. 

Proof By induction on the length of the proof of M —> M' . □ 
Patience guarantees that a process will wait indefinitely until it can communicate ifTTI . In 
our setting, this means that if no transmissions can start then it must be possible to execute a 
cr-action to let time pass. 

Proposition 2.7 (Patience) Let M = Yliei m i\PiY i be a well-formed network, such that for all 
i e / it holds that m,[P i ] Vi £ w i [!(w).<2,] Vi , then there is a network N such that M -—> N. 
Proof By induction on the structure of M. □ 
The maximal progress property says that processes communicate as soon as a possibility 
of communication arises lfT7l . In other words, the passage of time cannot block transmissions. 



Proposition 2.8 (Maximal Progress) Let M be a well-formed network. If M = m[\{w).P] v | 
./V then M -^-> M' for no network M'. 

Proof By inspection on the rules that can be used to derive M -—* M', because sender 
nodes cannot perform cr-actions. □ 
Basically, time cannot pass unless the specification itself explicitly asks for it. This ap- 
proach provides a lot of power to the specification, which can precisely handle the flowing of 
time. Such an extra expressive power leads, as a drawback, to the possibility of abuses. For 
instance, infinite loops of broadcast actions or internal computations prevent time passing. The 
well-timedness (or finite variability) property [29 ] puts a limitation on the number of instantan- 
eous actions that can fire between two contiguous cr-actions. Intuitively, well-timedness says 
that time passing never stops: Only a finite number of instantaneous actions can fire between 
two subsequent cr-actions. 

Definition 2.9 (Well-Timedness) A network M satisfies well-timedness if there exists an up- 
per bound teN such that whenever M — 1 —> ■ ■ ■ — where Aj is not directly derived by an 
application of (RcvEnb) and Aj + cr (for 1 < j < h) then k < h. 
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The above definition takes into account only transitions denoting an active involvement of the 
network, that is why we have left out those transitions which can be derived by applying rule 
(RcvEnb). However, as aTCWS is basically a specification language, there is no harm in allowing 
specifications which do not respect well-timedness. Of course, when using our language to 
give a protocol implementation, then one must verify that the implementation satisfies well- 
timedness: No real-world service (even a attackers) can stop the passage of time. 

The following proposition provides a criterion to check well-timedness. We recall that 
Prc wt denotes the set of processes where summations are always finite-indexed and recursive 
definitions are always time-guarded. 

Proposition 2.10 Let M = Yliei w;[P,\| Vi be a network. If for all i € I we have Pi e Prc wt then 
M satisfies well-timedness. 

Proof First notice that without an application of (RcvEnb) the network M can perform only 
a finite number of transitions. Then proceed by induction on the structure of M. □ 



2.3 Behavioural Semantics 

Based on the LTS of Section [2TT1 we define a standard notion of timed labelled bisimilarity for 
aTCWS. In general, a bisimulation describes how two terms (in our case networks) can mimic 
each other actions. Here, we focus on weak equivalences, i.e., we abstract on internal actions 
of the system, thus we must distinguish between the transmissions which may be observed and 
those which may not be observed by the environment. We extend the set of rules of Table [2] 
with the following two rules: 

M mhv> \M' M^^M' v*0 
(Shh) - T — (Obs) ^ 

M — » AT M M' 

Rule (Shh) models transmissions that cannot be observed because none of the potential receivers 
is in the environment. Rule (Obs) models transmissions of messages that can be received (and 
hence observed) by those nodes of the environment contained in v. Notice that the name of 
the transmitter is removed from the label. This is motivated by the fact that nodes may refuse 
to reveal their identities, e.g. for security reasons or limited sensory capabilities in perceiving 
these identities. Note also that in a derivation tree the rule (Obs) can only be applied at top-level. 

In the remaining of the paper, the metavariable a will range over the following actions: 
r, cr, \w>v and mlw. We adopt the standard notation for weak transitions: the relation 
denotes the reflexive and transitive closure of — >; the relation denotes — the 
relation =^=> denotes if a = r and =^=> otherwise. 

Definition 2.11 (Bi-similarity) A relation % over well-formed networks is a simulation ifM H 

N implies that whenever M M' there is N' such that N =^=> N' and M' H N'. A relation 
'R is called bisimulation if both % and its converse are simulations. We say that M and N are 
similar, written M < N, if there is a simulation K such that M KN. We say that M and N are 
bisimilar, written M » N, if there is a bisimulation H such that M UN. 
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The notions of similarity and bisimilarity between networks are congruences, as they are 
preserved by parallel composition. We give only the statement for bisimilarity. A similar 
statement holds for similarity. 

Theorem 2.12 (~ is a congruence) Let M and N be two well-formed networks such that M ~ 
N. Then M \ O ~ N \ O for all networks O such that M \ O and N \ O are well-formed. 

3 A Reformulation of tGNDC for Wireless Networks 

In order to achieve a formal verification of key management protocols for WSNs, we adopt a 
general schema for the definition of timed security properties, called timed Generalized Non- 
Deducibility on Compositions (tGNDC) iflBI . a real-time generalisation of Generalized Non- 
Deducibility on Compositions (GNDC) [8]. The main idea is the following: a system M is 
tGNDC p ^ M) if for every attacker A the composed systems M \ A satisfies the specification 
p(M), with respect to a given timed behavioural relation. The timed behavioural relation we 
will use in the following analysis is the similarity relation < of Definition al II 

The tGNDC framework [15 ] was originally designed for an extension of Milner's CCS [26 ], 
where node distribution, local broadcast communication, and message loss are not primitives 
but codified in terms of point-to-point transmission and a (discrete) notion of time. In this 
section, we will reformulate tGNDC in our setting. 

A distributed protocol involves a set of nodes P = \m\, . . . m^} which may be potentially 
under attack, depending on the proximity to the attacker. This means that, in general, the 
attacker is a network composed by a number of, possibly colluding, nodes. In order to deal 
with the most general and adverse attacker we assume a set M - {a\, . . . , a^} of fresh malicious 
nodes so that each node m, e P of the protocol is associated to a corresponding attacking node 
a; e M (for i = 1, . . . ,k). Every node in J?l is in touch both with the corresponding node in P 
and with the other nodes in M. 

Definition 3.1 (Attacking Nodes) We say that = {a\, . . . ,a^} c Nds is a set of attacking 
nodes for P — {m\, . . . , m^} c Nds if and only if M PiP — 0. We say that is a set of 
attacking nodes for the network M if and only if is a set of attacking nodes for nds (M) and 
J\ n Env(M) = 0. 

In our setting, an attacker is parameterised both on the set of nodes P of the protocol under 
attack and on some initial knowledge 0o- During the execution of the protocol an attacker 
may increase its knowledge by grasping messages sent by the parties according to Dolev-Yao 
constrains. 

The knowledge of a network is expressed by the set of messages that the network can 
manipulate. Thus, we write msg(f ) to denote the set of the messages that appear in the process 
P. Formally, we define msg(P) as msg (P), where msg s : Pre — > 2 g , for S c Prclds, is 
defined in Table[4]along the lines of [ 15]. Intuitively, msg s is a function that visits recursively 
the sub-terms of P and the body of the recursive definitions referred by P. The index 5 is 
used to guarantee that the unwinding of every recursive definition is performed exactly once. 
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Table 4 Function msg 5 



. ... def _ 

msg 5 (nil) - 

def 

msg 5 (!<w).P) = get(u) U msg 5 (P) 
msg s (|?(*).PJG) d = msg s (P) U msg s (0 

def 

msg s (LE ie /T.P,j0 - {Jmmsg s (PdUmsg s (Q) 

def 

msg s (cr.P) - msg s (P) 

def 

msg s ([wi =U2\P\Q) = get(m) U get(u 2 ) Umsg s (P) Umsg 5 (© 

def 

msg s ([«i ...u n v r x]P; Q) = UjLi g^OO U msg 5 (P) U msg s (<2) 

msgs (#< Ml . . . Mr » <^ (ULi u ms g5u{//i(^) i f p and H*S 

\[Si = iget{ui) otherwise 

where get : Val — > 2 Mig is defined as follows: 

def 

get{a) - {a} (basic message) 

def 

get(x) = (variable) 

. def ({P(u u . ..,«*,)} U {mi... u ki ] if F'(ui ...u ki ) e Msg 

get(F'(ui, u k ) ) - { 

yget(u{) U . . . U getiuk;) otherwise. 



A straightforward generalisation of msg s to networks is the following: 

msg(O) d = 0; msg(rc[P] y ) d = msg(P) ; msg(M 1 \M 2 ) = f msg(M 1 ) U msg(M 2 ) . 

Now, everything is in place to formally define our notion of attacking networks. For sim- 
plicity, in the rest of the paper, given a set of nodes N and a node n, we will write N \ n for 
N \ {«}, and N U n for N U {«}. Moreover, we will use the symbol W to denote disjoint union. 

Definition 3.2 (Attacker) Given a set of node names f* = {mi, . . . ,/%}, a set — {a\, . . . ,a^\ 
of attacking nodes for P, and an initial knowledge tpo c Msg, we define the set of attacking 
networks as follows: 

A %p = | Jl aiVQiT ' Qi 6 PrCwt ' ms §(2,) £ £>(0o), i"i - \ ad U mi 

Remark 3.3 By Proposition 12. 10\ the requirement Qi € Prc wt in the definition of A^^, guar- 
antees that our attackers respects well-timedness and hence cannot prevent the passage of time. 

Sometimes, for verification reasons, we will be interested in observing part of the protocol 
M under examination. We will assume that the environment contains a fresh node obs £ 
nds (M) U Env (M) U Jl, that we call the 'observer', unknown to the attacker. For convenience, 
the observer cannot transmit: it can only receive messages. 
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Definition 3.4 Given a network M - nLi m i[PiY'> picked a set ft - [a\, . . . , a^\ of attacking 
nodes for M and fixed asetOQ nds (M) of nodes to be observed, we define: 

x def A roiv' , / def / (v; n nds (Af)) U a,- U obs if mi e O 
M„ = nii[Pi\ 1 where v ; = { , . , , „. 
1 1 ! I (v, n nds (Af)) U a, otherwise. 

This definition expresses that (i) every node m; of the protocols has a dedicated attacker located 
at ai, (ii) network and attacker are considered in isolation, without any external interference, 
(iii) only obs can observe the behaviour of nodes in O, (iv) node obs does not interfere with the 
protocol as it cannot transmit, (v) the behaviour of the nodes in nds (Af) \ O is not observable. 
To ease the notation, whenever O - nds (Af) we will write Af^ instead of Afj^ s(M) ■ 
We can now formalise the tGNDC family properties as follows. 

Definition 3.5 (tGNDC) Given a network M, an initial knowledge <j)Q, a set O c nds (M) of 

nodes under observation and a network p(M), representing the specification property for M, 
we write M 6 tGNDC if and only if for all sets J\ of attacking nodes for M it hods that 



M% | A < p(M) for every A e 



^/nds(M) 



It should be noticed that when showing that a system M is tGNDC , the universal quanti- 
fication on attackers required by the definition makes the proof quite involved. Thus, we look 
for a sufficient condition for tGNDC which does not make use of the universal quantification. 
For this purpose, we rely on a timed notion of term stability lfl5l . Intuitively, a network M is 
said to be time-dependent stable if the attacker cannot increase its knowledge in a indefinite 
way when M runs in the space of a time slot. Thus, we can predict how the knowledge of the 
attacker evolves at each time slot. First, we need a formalisation of computation. 

Definition 3.6 (Execution trace) An execution trace is a sequence of labelled transitions. 
If A is the sequence of actions a\a2 ■ ■ .a n , we write M => M' to mean M — -* 
••• => => M . 

In order to count how many time slots embraces an execution trace A, we define #°~(A) to be 
the number of occurrences of cr-actions in A. 

Definition 3.7 (Time-dependent stability) A network M is said to be time-dependent stable 

with respect to a sequence of knowledge {4>j\j>o if whenever 

| A => Af' | A' 

where ft. is a set of attacking nodes for M, Ae A^ /nds(M) , #°"(A) = j and nds (Af') = nds (Af), 
then msg(A') c D((pj). 



In other words, if Af is time-dependent stable with respect to {<pj}j>o then, whenever Af' 

Vl/nds(M') 



A Af' | A', with #°"(A)= / and nds (Af') =nds (Af), then A' e Thus, <f>j ex- 



presses the knowledge of the attacker at the end of the j-th time slot. 
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Time-dependent stability is the crucial notion that allows us to replace the universal quan- 
tification on the possible attackers with the most general attacker. Intuitively, given a sequence 
of knowledge {4>j\j>Q and a set P = {m\, . . . , m^} of nodes we pick a set J{ = {a\, . . . , a^} 
of attacking nodes for P and we define the top attacker Top^ 1 ^ as the network whose initial 
knowledge is 4>o and which is able to manage the whole knowledge provided by tpj after j time 
slots. 

Definition 3.8 (Top Process) Given a sequence of knowledge {(pj}j>o the set of top processes 
{T$ }j>0 is defined as follows: 

T tj ^ [ 2 r.!(w>.T,jT 0j+1 . 

The top attacker is defined by replicating the top process in every attacking node. 

Definition 3.9 (Top Attacker) Given P = {m\, . . . , m^\ and $1= {a\, . . . ,a^} set of attacking 
nodes for P and fixed a sequence of knowledge {(pj}j>o, the top attacker is defined as: 

k 

fij def 



Basically, the network Top^^ can perform the following transitions: 

• Top^ /!P M>m ' :> Tov^'p, for every i e {1 k) and w £ D((pj) 

. Top*; JL^Top^ 1 

In particular, after j time slots (i.e. j cr-actions) Top^^ can replay any message in 2)(<pj) to 
the network under attack. Moreover, every attacking node a; can send messages to the corres- 
ponding node mi, but, unlike the attackers of Definition 13.21 it does not need to communicate 
with the other nodes in J?l as it already owns the full knowledge of the system at time j. 



Remark 3.10 Notice that the top attacker does not satisfy well-timedness (see Definition[ 
as the process identifiers involved in the recursive definition are not time-guarded. However, 
this is not a problem as we are looking for a sufficient condition which ensures tGNDC with 
respect to well-timed attackers. 

A first compositional property that involves the top attacker is the following. 

Lemma 3.11 Let M\ \ M2 be time-dependent stable with respect to a sequence of knowledge 
{(pj}j>o. Let and ^2 be disjoint sets of attacking nodes for M\ and M% respectively. Let 
0\ c nds(Mi) and0 2 £ nds(M 2 ). Then 

(Mi I MoV* 1 ^ 2 I Top 00 < I M^ 2 I Top^° I Top 00 
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The following theorem says that Top^^ is the reference attacker for checking tGNDC. 

Theorem 3.12 (Criterion for tGNDC) If M is time-dependent stable with respect to a se- 
quence of knowledge {<f>j}j>o, ^ is a set of attacking nodes for M and O c nds (M), then 

M I Top 5/nds(M) * N im P l ™ M e <GNDCl . 

The notion of the most powerful attacker is eventually employed to obtain the composi- 
tional property outlined by the following proposition. 

Theorem 3.13 (Composing tGNDC) Let M = M\\ ... \ M k be time-dependent stable with 
respect to a sequence of knowledge {(f>j}j>o- Let 3ik be disjoint sets of attacking nodes 

for Mi, ... , M k , respectively. Let O t c nds (M,), for \<i<k. Then, 

(Mi)% | TopJ /nds(M , < N h fori <i<k, implies MetGNDC^X k ...O k ■ 
Proof By Theorem [2T2] we have 

(MOj | ... | {M k )f k | TopS i/nds(M]) | ... | ToP^ /nds(A4) < Nr\...\N k . 

By applying Lemma [3.1 H and Theorem 12. 121 we obtain 

(M l \...\M k )^ : ^ | ToP^ a ^ /nds(MiUm < Ni\ ... \N k . 

Thus, by an application of Theorem 13. 121 we can derive M e tGNDC^ l ^ k ^ . □ 
3.1 Two timed security properties 

We formalise two useful timed properties for security protocols as instances of tGNDC 'fL > by 
suitably defining the abstraction function p [15). We will focus on the two following timed 
properties: 

• A timed notion of integrity, called timed integrity, which guarantees that only fresh pack- 
ets are authenticated. 

• A timed notion of authentication, called timed agreement, according to which agreement 
must be reached within a certain deadline, otherwise authentications does not hold. 

More precisely, fixed a delay 8, a protocol is said to enjoy the timed integrity property if, 
whenever a packet /?,• is authenticated during the i-th time interval, then this packet was sent at 
most i - 6 time intervals before. For verification reasons, when expressing time integrity in the 
tGNDC scheme, we will introduce in the protocol under examination a special message auth, 
which is emitted only when the packet p t is authenticated. 

A protocol is said to enjoy the timed agreement property if, whenever a responder n has 
completed a run of the protocol, apparently with an initiator m, then m has initiated the protocol, 
apparently with n, at most 8 time intervals before, and the two agents agreed on some set of 
data. When expressing time agreement in the tGNDC scheme, we introduce in the protocol 
under examination a special message hello,, which is emitted by the initiator at the i-th run of 
the protocol, and a special message end,, emitted by the responder, representing the completion 
of the protocol launched at run i. 
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4 A Security Analysis of //TESLA 



The //TESLA protocol was designed by Perrig et al. ll33l to provide authenticated broadcast 
from a base station (BS) towards all nodes of a wireless network. The protocol is based on a 
delayed disclosure of symmetric keys, and it requires the network to be loosely time synchron- 
ised. The protocol computes a MAC for every packet to be broadcast, by using different keys. 
The transmission time is split into time intervals of A; nt time units each, and each key is tied 
to one of them. The keys belongs to a key chain ko,k\,..., k n generated by BS by means of a 
public one-way function F. In order to generate this chain, BS randomly chooses the last key k n 
and repeatedly applies F to compute all the other keys, whereby it; := F(ki+i), for < i < n-l. 
The key-chain mechanism together with the one-way function F, provides two major advant- 
ages: (i) a key k\ can be used to generate the beginning of the chain ko, . . . , by simply 
applying F as many time as necessary, but it cannot be used to generate any of the subsequent 
keys; (ii) any of the keys ko, . . . , k[-\ can be used to authenticate k;. Moreover, each node mj is 
pre-loaded with a master key k BS:mj for unicast communications with bs. 

In this section, we analyse the two main phases of the protocol: bootstrapping new receiv- 
ers and authenticated broadcast. The former establishes the node's initial setting in order to 
start receiving the authenticated packets, the latter describes the transmission of authenticated 
information. 

4.1 Bootstrapping new receivers 

When a new node m wish to join the network, it sends a request message to the base station bs 
containing its name and a nonce nj, where j counts the number of bootstrapping requests: 

m — > bs : nj \ m H 

The base station replies with a message of initialisation of the following form: 

bs > m '. A int I i | ki | / 1 mac(fc BS:m , (nj | A int \ i\ k t \ I)) 

where A; nt is the duration of every time interval, i is the current time interval of bs, k[ is a key 
in the key chain, and /, with / < i, represents the time interval in which k\ was employed for 
packet encryption; hence, ki can be used for authenticating the subsequent keys in the chain. 
The secret key k BS:m is used to authenticate unicast messages; the nonce nj allows the node m 
to verify the freshness of the reply coming from bs. 

Encoding in aTCWS Our encoding contains a few simplifications with respect to the original 
protocol. As described in Section l4~2l the authenticated-broadcast phase consists of two distinct 
events: packet broadcast and key disclosure. For the sake of simplicity, in our encoding these 
events will happen in contiguous time slots, hence the time interval A; nt corresponds to two 
cr-actions. Moreover, we assume that Aj n t is already known by all nodes. Hence, bs needs to 

3 Here, the "|" symbol denotes message concatenation. 
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communicate just the current time interval i and the time interval / of the committing key kj. 
We fix / = i - 1. Thus, we can simplify the reply message as follows: 

bs — > m : / | | mac(k BSM1 , (rij \ i | . 

When giving our specifications in aTCWS we will require some new deduction rules to model 

Message Authentication Code and a pseudo-random function: 

(mac) — (prf) — r- . 

mac(wi,W2) prf(wi,W2) 

The application mac(fc, p) returns a unique number which represents the MAC of packet p, 
obtained from the payload of that packet and a key k. This will be used to authenticate the 
packet p. The application prf(m, w,-) returns a pseudo-random value w/+i associated to a node 
m and the last generated value w,-. 

Table [5] provides both the code running at each requesting node m and the code running 
at the base station bs. The base station runs the process D,, where i represents the index of 
the current key as well as the current time interval. The requesting nodes run the process Aj, 
where j counts the number of bootstrapping requests made by the node. At each request j, the 
receiver generates a nonce nj. Upon authentication of a key k, the node starts the authenticated- 
broadcast phase, via the process R(i + 1, /— 1, _L, k) defined in Table[7]of Section FOl 

At the beginning of the bootstrapping phase the network appears as: 

Hpf 

//TESLA ioof = bs[Di] v " | mdAiY-n | ... | m k [AiT'"t 
where m e v BS and bs e v m , for every m € {m\, . . . , m^}. 



4.1.1 Timed Agreement 

The timed agreement property for the bootstrapping phase of //TESLA requires that the base 
station bs successfully replies to a request packet pj, sent by the initiator node m, in at most 
Ajnt time units (corresponding in our encoding to two cr-actions). 

Here, we prove that the bootstrapping phase does not satisfies timed agreement. In partic- 
ular, we show that an attacker may prevent the bootstrapping request from reaching the base 
station, thus the bootstrapping phase may not terminate in due time. In order to do that, we 
present a replay attack which can be described, without loss of generality, by focusing on a 
part of the protocol, called //TESLA^ , consisting of a single requesting node m and the base 
station bs. Moreover, we slightly modify the processes running at bs to signal the end of the 
bootstrapping phase. Thus, we define the process D'. as a slight modification of D, (defined in 
Table [5]) where process Ef is replaced by 

Ef d = o-.[er\dn\- pair t]\(t).D M . 

With this modification, the encoding of the fragment under investigation of the bootstrapping 
phase of //TESLA becomes: 

Hpf 

/iTESLA; oof = bs[D;] v - I m[A 1 ] v "' . 



16 



Table 5 /iTESLA: bootstrapping phase. 



Request at node m 

a def r , 

Aj = [m n h i \- prf nj] 

[tnttj V pa i r t] 

[req t \- pair pj\ 
l(Pj).<r.Bj 

Bj d = [l(w).CjlA j+l 



def 



Cj = [w \- fst q]Cy,o-.A j+ i 
Cj = [w h snd h] 

[nj q Vpair r] 

[^Bs:m f ^~mac h ] 

[h = h']Cf,o-.Aj +l 
Cj d = [q \- fst i]C 3 j;o-.A j+1 
C) d = [q \- snd k]o-.R(i +l,i-l,±,k) 

Reply at base station bs 
Di d = \p.{p).Ei\o-.D M 

Ei = f [p \-f st pi]Ej;o-.cr.D i+l 
[pi = req]Ej;o-.o-.D i+l 
[p i-snd t] 

[t \- fst m\E]\o-.o-.D iJrX 
E] d = [t h snd n] 

[i ki-i i-pair Qi] 
[n qt ^pair n] 
[^-Bs:m Fj i~mac hj] 
[qt h Vp a i r Wi]o-.\(Wi).Ef 



E^ 



Ef = o-.D 



Build a random nonce nj 
Build a pair t with name m and nonce rij 
Build request packet using the pair t 
broadcast the request and move to Bj 

Receive the bootstrapping packet 

extract the first component 

extract the MAC 
add the nonce nj 
calculate MAC ti on r 
match the two MACs 

extract the current interval i 

extract key k and start authenticated broadcast 

Wait for incoming request packets 

extract the first component 

check if p is a request packet 

extract the second component 
extract the sender name m 

extract the nonce n 

pair up key with the current time interval i 
add the nonce n 

calculate MAC hi on r, with m's master key k BS:m 
build packet w; with qt and MAC hi 

broadcast w; and go to the next requesting state 



where the request packet pj = pair(req, pair(m, nj)) reports the beginning of the bootstrapping 
phase, while the message end 7 - = pair(end, nj) signals the end of the phase. 

We define the timed agreement property as the following abstraction of the protocol: 

p^TESLA^) d ^' ^\\D l f bs \m l \\Mf bs 

where 

Di d = Lr.(r.!<w ! ). C r.!<end ! ).A + iJtr.A + i 

A t = l(pi).o-.lT.o-.R(i+l,i-l,±,k i - 1 )iAi +1 
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with Wi = paii(qi,ma.c(k m:s ,pair(ni,qi)) and q, = pair(i, as defined in Table [5] Basically, 
these processes are obtained by and A,- by abstracting on receptions. The node obs is the 
observing node introduced in Section [3] 

The abstraction p agr (jiTEShA bgot ) correctly expresses the timed agreement property for 
the system /xTESLAL . In fact, the following proposition says that bs successfully replies to a 
request packet p,-, sent by the initiator node m, in exactly Aj nt time units (i.e. in two cr-actions). 

A \pi>obs o \er\di>obs _ 

Proposition 4.1 Whenever p agr QiTESLA' bo J => — > => ■ > then = 2. 

Now, in order to show that f/TESLA', t satisfies timed agreement, we should prove that 

/zTESLA^ 6 tGNDC^ TESLA ' ,M) 

where O = {m, bs} and (po c Msg. More precisely, given an appropriate set of attacking nodes 
J{ = {a, b}, we should prove that 

(lOBSUUg I A * P^TESLALJ foreveryAeA^ /nds(/jTESLALo() . 

This would imply that all execution traces of the system QiTESLA' hoot )^ \ A can be matched 
by p agr (jj.TESLA' boot ). Unfortunately, this is not the case. The following theorem shows how 
an attacker A can force the system (jj.TESLA' boot )^ \ A to execute a trace in which the special 
message endy is broadcast 2Aj nt time units (that is, four cr-actions) later than pj. This trace 
cannot be executed by p agr QiTESLA b ), as stated in Proposition 14.11 

Theorem 4.2 (Replay Attack to //TESLA Bootstrapping Phase) fiTESLA' boot does not sat- 
isfy the timed agreement property. 

Proof We propose an attacker that delays agreement. Let us define the set of attacking nodes 
ft = {a,b} for nds(//TESLA; o J. Let us fix the initial knowledge <pQ = 0, so to deal with the 
most general situation. We set v a - {m, b} and Vb = {bs, a}, and we assume that all nodes 
in nds (//TESLA^ oof ) are observable, thus v m = {bs, a, obs) and v BS = {m, b, obs}. We give an 
intuition of the replay attack in Table [6] Basically, the attacker delays the reception at bs of 
packet p\ so that bs can complete the protocol only after 2Aj nt time units. This denotes a replay 
attack that breaks agreement. 

Formally, we define the attacker A € A^,. , as follows: 

A = a[Xf a | b[Y] Vb 

def def 

where X = l?(x).o-.\(x).ri\\\ri\\ and Y = cr-L?0 ; )-c r - !<y>.niljnil. We then consider the system 

(^tesla; oo ,)^ I a 

which admits the following execution trace: 

\p\>obs . o~ . t . o~ . t . \p2>obs . cr . \w\>obs . a . \ev\6i>obs 
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Table 6 Replay attack to //TESLA bootstrapping phase. 



m 


cr 


BS 


■ Pi 


m starts the protocol, but p\ is grasped by a and missed by bs 
the systems moves to the next time slot 


a 


<T 


b 


■ Pi 


a sends p\ to b 

the system moves to the next time slot 


b 




BS 


■ Pi 


b replays p\ to bs 


m 


(T 


BS 


■ Pi 


m sends a new request pi which gets lost 
the system moves to the next time slot 


BS 




m 


: w\ 


bs replies to p\ with w\ (which is discarded by m) 
the system moves to the next time slot 


BS 


— ) 


* : 


: endi 


bs signals the end of the protocol 



containing four cr-actions between the packets p\ and endi (we report the corresponding com- 
putation in the Appendix). However, by Proposition 16.11 this trace cannot be matched by 
P«grO"TESLA^ oo? ). As a consequence, 

O/TESLA^*)* I A £ Pagr QiTESLA' bo J 
and hence the timed agreement property does not hold. □ 



4.1.2 Timed Integrity 

In this section, we show that the bootstrapping phase of /iTESLA satisfies the timed integrity 
property. In particular, we prove that nodes authenticate only keys that are associated to a 
nonce sent by the same node wrapped in a request packet in the previous time interval Ai nt . 

Again, without loss of generality, we focus on a part of the protocol, called //TESLA^, 
consisting of the base station bs and a single node m. We signal authentication at the node side 
by broadcasting a special message. This is done by replacing the process Aj of Table [5] with 

the process A" which is the same as A,- except for C 3 which is replaced by: 

J J j 

-if/ def 

Cj = [q\- stld k]o-.[au\hn\- pair t]l(t).R(i+l,i-l,±,k) . 
Thus, the fragment of the protocol under examination becomes: 

Hpf 

/xTESLA;' 00? = bsCD^ | mtA'/p" ■ 
The abstraction of the protocol that expresses timed integrity can be formalised as follows: 

PfeGuTESLA^) = f bs[7M] | m[A,f bs 
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def - def 

where Tick = cr.Tick and A,- = !(p,-).cr.|T.cr.!(auth,-)i?(/ + 1, ±, A:,_i)JA ;+ i, with auth, = 
pair(auth, n,) and = pair(req,pair(m, «,)). Again, the node obs is the observer introduced in 
Section [3] 

In the abstraction p,„ f (//TESLA^' oof ), it is straightforward to see that the action auth,-, which 
authenticates a key with nonce nu occurs exactly A; nt time units (that is, two cr-actions) after 
the request which carries the nonce nu This fact is stated in the following proposition. 

Proposition 4.3 Whenever p int (jj,TESLA^ oot ) =4* lp,> ° bS > =^> ] - a ^,>ob s ^ M ^ #C r (a) = 2 . 

The previous result says that pi nt (jj.TESLA'^ oot ) expresses correctly the timed integrity property. 
Thus, in order to show that the encoding of the bootstrapping phase of //TESLA satisfies the 
timed integrity property, we will prove that 



/.TESLA" E tGNDC2t? ESLA ' 



boot w <f>o, [m] 

for some appropriate <f>Q. Notice that node m signals both the begin and the end of the authen- 
tication protocol. Thus, we need to observe only the packets sent by m. Moreover, according 
to Definition 13 .71 //TESLA^ or is time-dependent stable with respect to the following sequence 
of knowledge: 



def 



Ip 



def . . 

01 = O U {Wl\ 

(pi d = 0i u {authi,/? 2 } 



(1) 



def 

(pi = (pi-\ U {authy, pj+i } if j > and i = 2j 

def 

(pi = (pi_\ U {wj + i } if j > and i = 2j + 1 

where w,- = pair(g,-, mac(/c m:BS , pair(«,-, qi)) and qt = pair(/, as defined in Table [5] Intuit- 
ively, (pi consists of (pi-i together with the set of messages an intruder can get by eavesdropping 
on a run of the protocol during the time slot i. 

Lemma 4.4 Given two attacking nodes a and b, for m and bs respectively, and fixed the se- 
quence of knowledge {0,},>o as in £T|), then 

1. BS [Di] fo | TopJ; bs < bs[7M] 

2. m[A"] la > obs] I Top*! < m[A l ] obs . 

L 1 J I ajm 

Theorem 4.5 (/iTESLA& oof Timed Integrity) The protocol pTESLA'^ oo{ satisfies the timed in- 
tegrity property: 

p.TESLAfr oot e tGNDC p ^ ES ^ . 
Proof By an application of Lemma l4~4l and Theorem l3.13l □ 
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4.2 Authenticating broadcast packets 



In the authenticated-broadcast phase, at each time interval i, one or more packets pi are de- 
ployed by the sender, each one containing the payload and the MAC calculated with the key 
ki bound to the i-th time interval. Thus, at time interval i the bs broadcasts the authenticated 
message: 

bs — > * : pi | mac(/?;, ki) . 

In the same time interval i, the key tied to the previous time interval i — 1 is disclosed to all 
receivers, so that they can authenticate all the previously received packets: 

bs — > * : ki-\ . 

Loose time synchronisation on the key disclosure time prevents malicious nodes to forge pack- 
ets with modified payloads. Nodes discard packets containing MACs calculated with already 
disclosed keys, as those packets could come from an attacker. In this phase the nodes exploit 
the two main advantages of the key chain and the one-way function F: (i) the last received 
key ki can be authenticated by means of F and the last authenticated key kf, (ii) lost keys can 
be recovered by applying F to the last received key kj. For instance, suppose that BS has sent 
packet p\ (containing a MAC with key k\) in the first time interval, packet p2 in the second 
time interval and packet pi in the third one. If the key k\ is correctly received by a node m 
while keys &2 and k^ get lost, then m can only authenticate the packet p\ but not p2 or pj,. 
However, if m gets the key fcj then m can authenticate £4 by using k\ , and it can also recover 
the lost keys &2 and k^ to authenticate P2 and pi, respectively. 

In Table |7] we provide an encoding of the authenticated-broadcast phase of yt/TESLA. Also 
in this case our encoding contains a few simplifications with respect to the original protocol. As 
said for the bootstrapping phase, we assume that the duration of the time interval A; nt is fixed 
and it is already known by the nodes. In our encoding this time interval corresponds to two 
cr-actions. We assume that in each time interval i the sender broadcasts alternately only one 
packet pi and the key of the previous time interval. Thus, we assume a sequence q\,qz, . . . 
of payloads to be authenticated by using the corresponding keys k\,k2, • ■ • Moreover, we do not 
model the recovery of lost keys, hence the payload q t can only be authenticated by receiving 
the key This simplification yields a easier to read model which can be generalised to fulfil 
the original requirements of the protocol. 

The encoding essentially defines two kind of processes: the senders Si, and the receivers 
R(i, I, r, ki), where i is the current time interval, r is the last received packet, / is the time interval 
when the last key k\ was authenticated. Since we bind one packet to one key, i also refers to the 
index number of packets. 

The authenticated-broadcast phase of //TESLA can be represented as follows: 

Hpf 1 1 1 

yuTESLA^ = bs[5i] v - I m 1 [/?<l,-l,±,£ BS >r<"i | ... | m h [R(l, -1, ±, k BS )] v ^ 

where m e v BS and bs e v m , for every m e \m\, . . . ,ra/,}. We use _L because at the beginning 
there is no packet to authenticate. We write & BS to denote the key transmitted by the base station 
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Table 7 /iTESLA: authenticated-broadcast phase. 



Sender: 



Receiver: 



Si — \_C}i ki \- ma c Uj\ 
[Ui qi Vpair Pi] 
\(Pi).(T. 

m-i).cr. 

S i+i 

def 



R(i,l,r,kd = [?(p).cr.P(i,l,p,r,ki)\ 
Q(i, l,r,k t ) 

P(i, I, p, r, ki) d = \l{k).T(i, I, p, r, k u k)\ 
R(i+\,l,p,ki) 

T{i,l,p,r,k u k) A = [F^-'ik) = k] 
[r l-fet u] 
[r l-snd q] 

[q k \~mac U ] 

[u - u'] 

cr.Z(i+ \,i—l,p,r, k); 
cr.R(i+l,i-\,p,k); 
cr.R(i+\,i-l,p,k); 
cr.R(i+l,l,p,ki) 

def 

Z(i,l,p,r,k t ) = R(i,l,p,ki) 

Q(i, I, r, ki) d = \l{k).T{i, I, r, r, k h k)\ 
R(i+\,l,r,ki) 



build MAC with payload and key 
build packet with mac and payload 
broadcast packet, synchronise 
broadcast previous key, synchronise 
and go to next sending state 

receive a pkt, synchronise, go to P 
if timeout go to Q 

receive a key k and move to T 

if timeout go to next receiving state 

authenticate key k with F and k\ 
extract MAC from previous pkt r 
extract payload from r 
build MAC for r with key k 
check MACs to authenticate r 



authenticated-broadcast succeeded 

receive a key, synchronise, and 
go to next receiving state 



bs and authenticated at the node's site during the bootstrapping phase. Notice that, according 
to Table [U & BS is associated to the time interval -1. 

4.2.1 Timed Integrity 

In this section, we show that the authenticated-broadcast phase of juTESLA enjoys timed integ- 
rity. In particular, we prove that receivers authenticate only packets that have been sent 2Aj nt 
time units before (that is, four cr-actions before) in the correct order, even in the presence of 
the intruder. The crucial point is that even if the intruder acquires the shared keys then it is "too 
late" to break integrity, i.e., to authenticate packets which are more than 2A; nt time units old. 

As done for //TESLA,(, oof , we signal authentication of a packet r by broadcasting a special 
packet pair(auth, r). Thus, we replace the process R(i, I, r, ki) of Table|7]with R'(i, I, r, ki), where 
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the process Z(i, /, p, r, kf) is replaced by 

Hef 

Z'(i, I, p, r, ki) = [auth r v pair tV.(t).R'(i, I, p, h) . 
The formalisation of the authenticated-broadcast phase for //TESLA becomes the following: 

Hpf i i i 

//TESLA^ = Bs[5i] y - | m 1 [R'(U-l,±,k m )Y'*i | ... | m h [R'(l,-\,±,k B ,)] v "i. . 
We define the timed integrity property as the following abstraction of the protocol /iTESLA^: 

p^TESLA^) d = Bs[5!] ofa | filial] ** | ... | m,[^,] ofa 

where 5 1 is the process defined in Table|7J while Rj A = o~.Lt.o~. !(auth;_i ).•/?,■+! The node 
obs is the observing node introduced in Section [3] Here, we abstract on receivers' behaviour: 
At time interval i+2 they may signal the authentication of the packet p, = pair(mac(&,-, qi), qi) 
by sending the special packet auth,- = pair(auth, pi). 

The abstraction pi nt (j/TESLA' h ) is a faithful representation of the timed integrity property 
for the authenticated-broadcast phase of //TESLA. 

A \pi>obs o !auth,->ofo 
Proposition 4.6 Whenever p int (pTESLA' auth ) ==> — > => ■ > At then # £r (Q)=4. 

In order to show that //TESLA' mr/) satisfies timed integrity, we will prove that 

uTESLA' . e tGNDC^"f' TESLJ )' au,h) 

for some appropriate 0o- Notice that //TESLA' A is time-dependent stable with respect to the 
following sequence of knowledge: 



def 



{P 



def ... 

<pi = 0o U {ko} 

4>2 = f 0i u {j~ 2 , auth } 

def 

0,- = 4>i-\ U 1 , auth 7 _i } if j > and i = 2j 

def 

0i = U if j > and j = 2j + 1. 

Now, we choose an attacking node aj for each my, with 1 < j < h, and an attacking node b 
for bs. By applying the compositional criterion of Theorem 13.131 it suffices to prove a simpler 
integrity result for each node in isolation composed with its corresponding top attacker. 

Lemma 4.7 Given an attacking node bfor bs and the attacking nodes ajfor mj, with 1 < j < 
h, and fixed the sequence of knowledge {0,};>o as in ©, then the encoding in Table\7\satisfies 
the following: 
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1. B&lSif*** | Top^ bs < BS [5i] ofo 

2. mj[R'(l,-l,±,k)] {a J' obs] I Top^ , < mj[Rif bs ,forl < j < h. 

Theorem 4.8 (juTESLA au? /, Timed Integrity) The protocol pTESLA' auth satisfies timed integ- 
rity: 

UTESLA' e tGNDC p 'i pTESLA ' a " ,h) . 
Proof By applying Lemma 14771 and Theorem l3.131 □ 

4.2.2 Timed Agreement 

The timed agreement property for the authenticated-broadcast phase //TESLA a „ r /, requires that 
when the receiver mj completes the protocol, apparently with the initiator bs, then bs has ini- 
tiated the protocol, apparently with ray, at most two time intervals Ai nt before, and the two 
parties agree on the sent data. In other words, the packet pt is authenticated by ray exactly 2Ai nt 
time units after it has been sent by bs. This says that any formulation of timed agreement for 
pTESLAanth would actually coincide with timed integrity. Thus, Proposition 14. 6 1 demonstrates 
that pj nt (pTESLA' auth ) is also a faithful abstraction of timed agreement. As a consequence, 
Theorem 14. 8 1 also says that //TESLA,^/, satisfies timed agreement. 

5 A Security Analysis of LEAP+ 

The LEAP+ protocol |43l provides a keying mechanisms to establish authenticated commu- 
nications. The protocol is designed to establish four types of keys: an individual key, shared 
between a base station and a node, a single-hop pair-wise key, shared between two sensor 
nodes, a cluster key, shared between a node and all its neighbourhood, a group key, shared 
between a base station and all sensor nodes of the network. 

In this section, we focus on the single-hop pairwise key mechanism as it is underlying to 
all other keying methods. This mechanism is aimed at establishing a pair-wise key between 
a sensor node and a neighbours in Ai eap time units. In order to do that, LEAP+ exploits two 
peculiarities of sensor nodes: (i) the set of neighbours of a node is relatively static, and (ii) a 
sensor node that is being added to the network will discover most of its neighbours at the time 
of its initial deployment. 

The single-hop pairwise shared key mechanism of LEAP+ consists of three phases. 

Key pre-distribution. A network controller fixes an initial key kin an d a computational efficient 
pseudo-random function prf(). Both k m and prf() are pre-loaded in each node, before 
deployment. Then, each node r derives its master key: k r :=pxf{k m , r). 

Neighbour discovery. As soon as a node m is scattered in the network area it tries to discover 
its neighbours by broadcasting a hello packet that contains its identity, m, and a freshly 
created nonce where i counts the number of attempts: 

m — » * : m I m . 
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Then each neighbour r replies with an ack message which includes its identity r, the 
corresponding MAC calculated by using r's master key k r , to guarantee authenticity, and 
the nonce n,-, to guarantee freshness. Specifically: 

r — » m : r | mac(& r , (r | «,-)) . 

Pairwise Key Establishment. When m receives the packet q from r, it tries to authenticate it 
by using the last created nonce and r's master key k r = prf(&i n ,r). Notice that m 
can calculate k r as k m and prf have been pre-loaded in m, and r is contained in q. If 
the authentication succeeds, then both nodes proceed in calculating the pairwise key 
km-.r '■= prf(k r ,m). Any other message between m and r will be authenticated by using 
the pairwise key k m:r . If m does not get an authenticated packet from the responder in 
due time, it sends a new hello packet with a fresh nonce. 

In Table [8l we provide an encoding of the single-hop pairwise shared key mechanism of 
LEAP+. For the sake of clarity, we assume that Ai eap consists of two time slots, i.e. it takes two 
cr-actions. To yield an easier to read model, we consider only two nodes and we define 

LEAP+ d = m[Si] Vm | r[R] Vr 

where m is the initiator, r is the responder, with m e v r and r € v m . Moreover, we assume that 
r has already computed its master key k r :- prf(&; n ,r). This simple model does not loose in 
generality with respect to the multiple nodes case. 

5.1 Timed Agreement 

The timed agreement property for LEAP+ requires that the responder r successfully completes 
the protocol initiated by m, with the broadcasting of a hello packet, in at most Ai eap time units 
(i.e. two cr-actions). We will show that LEAP+ does not satisfy the timed agreement property. 

For our analysis, in order to make observable the completion of the protocol, we define 
LEAP+ by replacing in LEAP+ the process R of Table [8] with the process R' defined as the 
same as R except for process R 6 which is replaced by 

R 6 ' d = cr.[endn v pair e]!<e).nil . 

def def 

We use the following abbreviations: hello, = pair(hello,pair(m, «,)) and end,- = pair(end,«,). 
The timed agreement property of LEAP+ is defined by the following abstraction: 

p^(LEAPV) d ^ f m\S x r hs \ARxr hs 

def - - def 

where 5, = !<hello ! ).crLT.cr.nilJ5 I+ i and /?,• = L^o"K^')-0"-Kend,).nilJcr./? i+1 , with q% = 
pair(r, mac(^ r ,pair(r, «,))), as defined in Table [8] 

The following statement says that the abstraction p agr (LEAP'+) expresses correctly the 
timed agreement property for LEAP+. 
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Table 8 LEAP+ specification 



Sender at node m: 



c 


def 


[tij-i m h pr f ni\ 


build a random nonce tij 






[m Hi \- pair t] 


DUiiQ d pair i wiui Tri and ine nonce Hi 






L< ItMIU I rp alr p\ 


UU11U. 11C/11U IJCl^Jvt/L Ll&lllH Lilt Uu.ll t 






\( P ).(T.P 


broadcast hello, synchronise and move to P 


P 


def 


[%q).P l \S M 


wait for response from neighbours 


P [ 


def 


[q \- fst r]P 2 ;(T.S i+l 


extract node name r from packet q, 


P 2 


def 


[q l-snd h] 


extract MAC h from packet q 






[r rii V pa i r f] 


build a pair t' with r and current nonce 






[k[ n r ^prf kr\ 


calculate r's master key k r 






[k r t V mac h ] 


calculate MAC h' with k r and t' 






W = h]P 3 ;<r.S i+ i 


if it matches with the received one go to P , 








otherwise go to next time unit and restart 


p3 


def 


[k r Ttl *<-prf kfff rjP 4 


eall^lllaic me pall Wise Key turn's 


p4 


def 


cr.nil 


i • i iii .11*1 

synchronise and conclude key establishment 


eceiver at node r: 




R 


def 


l?(p).R l \cr.R 


Wait for incoming hello packets 


R [ 


def 


[p ^fst P\\R 2 ;cr.cr.R 


extract the first component 


R 2 


def 


[P l-snd Pl\ 


extract the second comnonent 




def 


[pi = hello]/? 3 ; cr.o-.R 


check if p is a hello packet 


R 3 


[p 2 \-fst m]R 4 ;o-.cr.R 


extract the sender name m 


R 4 


def 


[P2 l-snd "] 


extract the nonce n 






[r n Vp air t] 


build a pair t with n and r 






[kr t v mac h] 


calculate MAC hont with r's master key k r 






[r h Vp a i r q] 


build packet q with node name r and MAC h 






cr.l(q).R 5 


synchronise, broadcast q and go to R 5 


R 5 


def 


[k r m v prf k m:r ]R 6 


calculate pairwise key k m:r 


R 6 


def 


cr.nil 


synchronise and conclude key establishment 



Proposition 5.1 Whenever p agr (LEAP+) ^> hen °' t ' ohs - Jh, en6 ' >ohs ) tnen #o-^ _ 2. 
Now, in order to prove timed agreement for LEAP+ we should show that 

LEAP'+ e tGNDC!! as ; {LE , AF ' +) 

<f>o,{m,r) 

for some appropriate <f>o. This would imply that all traces of the system composed by LEAP + 
in parallel with an attacker can be mimicked by p agr (LEAP'+). 
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Table 9 Replay attack to LEAP+. 



m — > * : hellOi m starts the protocol, but hello i is grasped by a and missed by r 

— > the system moves to the next time slot 

a — > b : helloi a sends helloi to b 

——> the system moves to the next time slot 

b — > r : hello i & replays helloi to r 

m — > * : hell02 «? broadcasts hell02 (containing a fresh nonce n-i), which gets lost 

— > the system moves to the next time slot 

r — > m : r replies by sending q\ (which is discarded by m) 

—> the system moves to the next time slot 

r — > * : endi r signals the end of the protocol 



However, this is not the case, as stated by the following theorem. 

Theorem 5.2 (Replay Attack to LEAP+) LEAP + does not satisfy the timed agreement prop- 
erty. 

Proof We define an attacker that delays agreement. Let us define the set of attacking nodes 
J{ - {a,b\ for nds(LEAP'+). Let us fix the initial knowledge (po = 0, so to deal with the 
most general situation. We set v a - {m,b\ and = {r,a\, and we assume all the nodes in 
nds (LEAP+) are observable, thus v m - {r, a, obs\ and v r = {m, b, obs\. We give an intuition of 
the replay attack in Table [9] Basically, the attacker delays the reception of the packet p\ at m 
which cannot complete the protocol within two time slots, but only after four time slots, thus 
breaking agreement. Formally we define the attacker A € A^L . as follows: 

A = a[X] Va | b[Y] v » 

where the processes X and Y are the same as those defined in the proof Theorem 14.21 Now, we 
consider the system 

(LEAP^ | A - m[Si] v - \ r[R'] Vr \ A 
and we find that it admits the following execution trace 

!hellOi>ofe .cr .t .cr . r.!hell02>ofe . cr . \q\>obs . cr . \er\6\>obs 

where the packet helloi and the corresponding packet endi are divided by four cr-actions (we 
report the corresponding computation in the Appendix). Proposition l5.1l says that this trace can- 
not be mimicked by the specification p agr (j/TESLA' boot ). As a consequence, the timed agree- 
ment property for LEAP+ does not hold. □ 
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5.2 Timed Integrity 



The timed integrity property for LEAP+ says that hello messages and authentication messages 
with the same nonce must differ for at most A/ gap time units. We show that LEAP+ satisfies 
the timed integrity property. For doing that, we slightly modify the specification of LEAP+ to 
make observable key authentication. We define 

LEAP" + = f m[S\T'" | AR\ Vr 

where the process S '■ is the same as process S ; of Table [U except for process P 4 which is 
replaced by 

P 4 " d = cr.[aUth t Vp a i r d\\{a)X\\\ . 

For simplicity, we use the following abbreviation: auth; = pair(auth,pair(m, n,)). 

In order to formally represent the timed integrity property, we define the following abstrac- 
tion of the protocol: 

Pto (LEAP" + ) <H f ml^fbs | r[Tlck f 

* def - a. def 

where 5,- = !(hello ! ).cr.LT.cr.!<auth,>.nilj5, + i and Tick = cr.Tick . 

By construction, p ! „ ( (LEAP"+) is a faithful representation of timed integrity for LEAP+ (we 
recall that in our encoding Ai eap corresponds to two cr-actions). 

„ ... _ ~ _ ^17 n c a t," \ lhellOi>obs a \authi>obs 
Proposition 5.3 For every i > 1, whenever p,-„ f (LEAP +) => > =^> >, 

then - 2. 

Now, we notice that LEAP"+ is time-dependent stable with respect to the sequence of 
knowledge {0,},>o, defined as follows: 

{helloi) 

4>o U {mac(k r ,pair(r,ni))} 
4>i u{hello 2 ,authi} 

(pi u = (pi-\ u {hellOy+i, auth/} if ; > and i = 2j 

def 

(pi = (p(-\ U {mac(k r ,pak(r,nj + i))} if j > and i = 2j + 1 . 

Now, we pick two attacking nodes a and b, for m and r, respectively, and we focus on the ob- 
servation of node m as it signals both the beginning and the end of the authentication protocol. 
Again, by applying Theorem |3.13| it suffices to prove a simpler result for each node in isolation 
composed with its corresponding top attacker. 

Lemma 5.4 Given two attacking nodes a and b, for m and r respectively, and fixed the se- 
quence of knowledge {0, },>o as in (f3]), then 

1. m[S"i a ' obs] I Top " < m[S i] ofa 
L 1 J I aim 



def 

90 

def 
<Pl = 
def 

02 
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2. r[R] lb] | TopJ° r < r[Tickf . 

Theorem 5.5 (LEAP+ Timed integrity) LEAP"+ satisfies the timed integrity property: 

LEAP"+ e tGNDC^ff*^'^ . 
Proof By applying Lemma [5~4l and Theorem [37T3J □ 

6 A Security Analysis of LiSP 

In order to achieve a good trade-off between resource limitations and network security, Park et 
al. IT3T1 have proposed a Lightweight Security Protocol (LiSP) for WSNs. LiSP provides (i) an 
efficient key renewal mechanism which avoids key retransmission, (ii) authentication for each 
key-disclosure, and (iii) the possibility of both recovering and detecting lost keys. 

A LiSP network consists of a Key Server (ks) and a set of sensor nodes mi,... The 
protocol assumes a one way function F, pre-loaded in every node of the system, and employs 
two different key families: (i) a set of temporal keys ko,...,k n , computed by ks by means of F, 
and used by all nodes to encrypt/decrypt data packets; (ii) a set of master keys k KS:m ., one for 
each node mj, for unicast communications between mj and bs. As in //TESLA, the transmission 
time is split into time intervals, each of them is A re f res h time units long. Thus, each temporal 
key is tied to a time interval and renewed every A re f res h time units. At a time interval i, the 
temporal key kj is shared by all sensor nodes and it is used for data encryption. Key renewal 
relies on loose node time synchronisation among nodes. Each node stores a subset of temporal 
keys in a buffer of a fixed size, say s with s « n. When a time interval elapses, each node 
removes the active key from the buffer to free a slot for the next key taken from the sequence 
ko , ■ ■ ■ ,k n . 

The LiSP protocol consists of the following phases. 

Initial Setup. At the beginning, ks randomly chooses a key k„ and computes a sequence of 
temporal keys ko, . . . ,k n , by using the function F, as in yuTESLA: ki :— F(ki+i). Then, 
ks waits for reconfiguration requests from nodes. More precisely, when ks receives a 
reconfiguration request from a node m;, at time interval i, it unicasts the packet InitKey: 

ks -> mj : enc(k KS . Mj , (s \ k s+i | A refresh )) | hash(^ | k s+i | A refresh ) 

where s represents the buffer size, k s+ i is the initial key and A re f res h is the duration of the 
refresh interval. The operator enc(&, p) represents the encryption of p by using the key 
of k, while hash(/?) generates a message digest for p by means of a cryptographic hash 
function used to check the integrity of the packet p. 

When mj receives the InitKey packet, it computes the sequence of keys 

ks+i-i , &.s+('-2» ■ ■ ■ ,kj 

by applying the function F to fc J+I \ Then, it activates it; for data encryption and it stores 
the remaining keys in its local buffer; finally it sets up a ReKeyingTimer to expires after 
A re fresh/2 time units (this value applies only for the first rekeying). 
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Re-Keying. At each time interval i, with i < n, ks employs the active encryption key ki to 
encode the key k s +i- The resulting packet is broadcast as an UpdateKey packet: 



When a node receives an UpdateKey packet, it tries to authenticate the key received in 
the packet; if the node succeeds in the authentication then it recovers all keys that have 
been possibly lost and updates its key buffer. When the time interval i elapses, every node 
discards kj, activates the key kj + i for data encryption, and sets up the ReKeyingTimer to 
expire after A re f res h time units for future key switching (after the first time, switching 
happens every A re f res h time units). 

Authentication and Recovery of Lost Keys. The one-way function F is used to authenticate and 
recover lost keys. If s is the size of the key buffer and Z, with I < s, is the number of 
stored keys in the buffer, then s - I represents the number of keys which have been lost 
by the node. When a sensor node receives an UpdateKey packet carrying a new key k, it 
calculates F s ~\k) by applying s — I times the function F. If the result matches with the 
last received temporal key, then the node stores k in its buffer and recovers all lost keys. 

Reconfiguration. When a node ray joins the network or misses more than s temporal keys, then 
its buffer is empty. Thus, it sends a RequestKey packet in order to request the current 
configuration: 



Upon reception, node ks performs authentication of my and, if successful, it sends the 
current configuration via an InitKey packet. 

Encoding in aTCWS In Table [TOj, we provide a specification of the entire LiSP protocol in 
aTCWS. We introduce some slight simplifications with respect to the original protocol. We 
assume that (i) the temporal keys ko,...,k n have already been computed by ks, (ii) both the 
buffer size s and the refresh interval A re f res h are known by each node. Thus, the broadcasting of 
the InitKey packet can be simplified as follows: 



Moreover, we assume that every cr-action models the passage of A re fr e sh/2 time units. There- 
fore, every two cr-actions the key server broadcasts the new temporal key encrypted with the 
key tied to that specific interval. Finally, we do not model data encryption. Our specification 
can be easily generalised to fulfil the original requirements of the protocol. 

When giving our encoding in aTCWS we will require some new deduction rules to model an 
hash functions and encryption/decryption of messages: 



ks — > * : enc(/c,, k s+ j) . 



ks : RequestKey | my . 



ks — > ra : enc(/c, 



, k s+i ) | hash(/c i+; ) . 



w 



W\ W2 



W\ W2 



(hash) 



hash(w) 



(enc) 



enc(wi, wi) 



(dec) 



decfwi, W2) 
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Table 10 LiSP Specification 



Key Server. 
Di 



def 
def 



U = 
/? 



(T.Dl 

[k[ k s +i \- enc ti\ 
[UpdateKey t t \- pair «,■] 
\(ui).o-.cr.D M 

\P.(r).I M \cr.L M 

[r \-fst ri]lj;cr.cr.L M 

[r\ - RequestKey]/ 2 ;cr.cr.L !+ i 

[r l-snd m] 

[Wi k V pair r{\ 

[InitKey r t \- pair q t ] 
cr.\(qi).cr.L M 
Receiver at node m: 

def 



def 
def 
def 
def 



z - 



T = 



def 
def 
def 



r 3 
E 



E 3 
E 4 
F 



def 
def 
def 
def 
def 
def 

def 
def 
def 



[RequestKey m H pa i r r] 
\(r).o-.Vl{q).T\Z 

[q \- fst q']T l ;cr.Z 

[q' = lnitKey]r 2 ;cr.Z 

[q ^md q"] 
[q" \- fst w] 
\q" ^snd h] 

[k KS:m w v dec k]T 3 ;cr.Z 

[k ^ hash h'][h = h']T A -cr.Z 

cr.cr.R(F s -\k),k, s-l) 

Vl{u).E\F 

[u \-f st u'\E x \cr.F 

[u' - UpdateKey]£" 2 ; cr.F 

[u h snd u"] 

[k c u" \- dec k]E 3 ;cr.F 
[F s - l {k) = k L ]E 4 ;cr.F 
o-.o-.R(F s ~\k),k, s-l) 
[l = 0]Z;cr.R(F l -\k L ),k L ,l-\) 



synchronise and move to Di 

for i > 1, encrypt & v+! - with kj 
build the UpdateKey packet w, 
broadcast r,, and move to D;+i 

wait for request packets 

extract first component 

check if r\ is a RequestKey 

extract node name 
encrypt k s+ i with k KS:m 
calculate hash code for k s+ i 
build a pair r,-, 
build a InitKey packet q h 
broadcast qt, move to L !+ i 

send a RequestKey packet 
wait for a reconfig. packet 

extract fst component of q 

check if q is a InitKey packet 

extract snd component of q 
extract fst component of q" 
extract snd component of q" 
extract the key 

verify hash codes 

synchronise and move to R 

wait for incoming packets 

extract fst component of u 

check UpdateKey packet 

extract snd component of u 
decrypt u" by using k c 

authenticate k 

synchronise and move to R 

check if buffer key is empty 
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The protocol executed by the key server is expressed by the following two threads: a key 
distributor D, and a listener L, waiting for reconfiguration requests from the sensor nodes, with 
i being the current time interval. Every A re f res h time units (that is, every two <x-actions) the 
process D, broadcasts the new temporal key k s+ i encrypted with the key of the current time 
interval i. The listener process L, replies to reconfiguration requests coming from sensor nodes 
by sending an initialisation packet. 

At the beginning of the protocol, a sensor node runs the process Z, which broadcasts a 
request packet to KS, waits for a reconfiguration packet q, and then checks authenticity by 
verifying the hash code. If the verification is successful then the node starts the broadcasting 
new keys phase. This phase is formalised by the process R(k c ,k L ,l), where k c represents the 
current temporal key, k L is the last authenticated temporal key, and the integer / counts the 
number of keys that are actually stored in the buffer. This process waits for a new UpdateKey 
packet u, which is sent by the key server and carries the new temporal key in the key chain. 
If u is correctly received, the process E decrypts the packet, by using the current key k c , and 
authenticates the received key by applying the function F. If the key authentication is success- 
ful, then the sensor node synchronises and moves to the next receiving process by updating its 
state: k c is discarded and replaced by the first key in the buffer, k h is replaced by the key just 
authenticated, and / := s-\, as the function F allows the recovery of lost keys. In case of either 
packet loss or authentication/decryption failure, the process checks if the buffer still contains 
keys. If so, the process switches the keys and moves into the next receiving state with a new 
current key and I :- l-l. Otherwise, if the buffer is empty, the node needs a reconfiguration as 
authentication and recovery are not longer possible. Therefore, the process moves into Z, and 
restarts the initial setup phase. 

To simplify the exposition of our security analysis, we formalise the key server as a pair of 
nodes: a key disposer kd, which executes the process D ; , and a listener kl, which executes the 
process L ; . Thus, the LiSP protocol, in its initial configuration, can be represented as: 



where U je y{m 7 } is the set of sensor nodes, and for every j e J node nij e v KD n v KL and 
{kd,kl} c V m .. 

6.1 Timed Integrity 

The timed integrity property for LiSP says that a node m must authenticate only keys sent by 
the key server in the previous A re f res h time units (that is, every two cr-actions). Otherwise, a 
node needing a reconfiguration would authenticate an obsolete temporal key and it would not 
be synchronised with the rest of the network. In this section, we show that LiSP does not satisfy 
the timed integrity property because a time span of more than A re f res h time units may elapses 
between the transmission of a message by the key server and the authentication of that message 
by the node. 

For our analysis, without loss of generality, it suffices to focus on a part of the protocol 
composed by the kl node of the key server and a single sensor node m. Moreover, in order 
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to make observable a successful reconfiguration, we replace the process Z of Table \T0\ with a 
process Z' which is defined as the same as Z except for process T 4 which is replaced by 

T 4 ' d = o-.[aui[\k\- pair a]\(a)-(r.R(F s - 1 (k),k,s-l) . 
Thus, the part of the protocol under examination is defined as follows: 

LiSP' = f m[ZT" I kl[L ] Vkl . 
The timed integrity property can be expressed by the following abstraction of the protocol: 

p te (LiSP') d = m[Z f bs | KL[L ] obs 

where 

• Zj = \(r).cr.[T.o-.\(a\Jt.Ui).cr.R(ki + i,k s+ j, s - l)_|Z+i, with r - pair(RequestKey, m) and 
auth/ = pair(auth, k s+i ) as defined in Table [TOl 

• L{ - [T.o-.\{qi).o-.Lj + i\<T.Li + i, and is defined as in Table 1 101 qi - pair(lnitKey r,) with 

r ; - = pair(enc(fc KS:m; , k s+i ), hash(&, + ,)). 

The next result says that p,„,(LiSP') is a faithful representation of the timed integrity property 
of LiSP'. 

A \cii>obs o !auth;>o2w 
Proposition 6.1 Whenever p to (LiSP') =^> — > =^=> ■ > then = 2. 

In order to show that LiSP' satisfies timed integrity, we should prove that 

LiSP' e tGNDC^ iSF,) 

for some appropriate 0o- 

Unfortunately, this is not the case. The following theorem describes an attacker which 
obliges LiSP' to perform a trace in which auth,- occurs 2A re f re sh time units (that is, four tr- 
actions) after qi. Proposition 16. II says that such a trace cannot be mimicked by p,„ ? (LiSP'). 

Theorem 6.2 (Replay Attack to LiSP) LiSP' does not satisfy the timed integrity property. 

Proof We propose an attacker that delays authentication. Let us define the set of attacking 
nodes = {a, b] for nds (LiSP'). Let us fix the initial knowledge <po = so to deal with the 
most general situation. We set v a = {m,b) and Vb - {kl, a], and we assume that all nodes in 
nds (LiSP') are observable, thus v m - {kl, a, obs} and v KL = {m, b, obs}. We give an intuition of 
the replay attack in Table [TT1 Basically, the attacker prevents the node m to receive the InitKey 
packet within A re f res h time units. Thus m completes the protocol only after 2A re f res h time units, 
and it authenticates an old key. This denotes a replay attack that breaks integrity. Formally, we 
define the attacker A e A"?" , as follows: 

A = a\Xf a I b[Y] Vb 
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Table 11 Replay attack to LiSP. 



m — > kl : r m sends a RequestKey and kl correctly receives the packet 

-—* the system moves to the next time slot 

kl — > m : q\ kl replies with an InitKey which is lost by m and grasped by b 

—* the system moves to the next time slot 

b — > a : q\ b sends q\ to a 

m — > kl ; r m sends a new RequestKey which gets lost 

-—* the system moves to the next time slot 

a — > m : q\ a replays q\ to m 

—* the system moves to the next time slot 

m — > * : authi m authenticates <7i and signals the end of the protocol 



where X = <r.<r.L?(x).cr.!(x).nilJnil and Y - cr. L?(y).cr.!(y).niljnil. We then consider the 
system (LiSP')" 51 I A which admits the following execution trace: 

\r>obs . cr . \q\>obs .ct.t. \r>obs .cr .r .cr . !authi>o^5 

where the packet q\ and the corresponding authi packet are divided by three <x-actions (we 
report the corresponding computation in the Appendix). By Proposition 16.11 this trace cannot 
be matched by p,„ ; (LiSP')- As a consequence, (LiSP')^ I A j£ p inf (LiSP')- Hence the timed 
integrity property does not hold. □ 



6.2 Timed Agreement 

The timed agreement property for LiSP requires that when a sensor node m completes the 
protocol, apparently with the initiator kl, then kl has initiated the protocol A re f res h time units 
before and the two nodes agree on the transmitted data. In other words: the packet qt must 
be received and authenticated by m exactly A re f res h time units after it has been sent by bs. This 
suggests that, as seen for juTESLA in Section l4!2l any formulation of timed agreement for LiSP 
would actually coincide with timed integrity. As a consequence, Theorem 16.21 also says that 
LiSP does not satisfies timed agreement. 



7 Conclusions, Related and Future Work 

We have proposed a times broadcasting calculus, called aTCWS, to formalise and verify real- 
world key management protocols for WSNs. Our calculus comes with a well-defined opera- 
tional semantics and a (bi)simulation-based behavioural semantics. We have provided formal 
specifications in aTCWS of three well-known key management protocols for WSNs: LiSP [31], 
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//TESLA [32] and LEAP+ RSI . Our specifications meet the requirements of Proposition 12- 1 01 
thus they all satisfy well-timedness. We have revised Gorrieri and Martinelli's tGNDC iflBI 
framework in such a way that it can be applied to WSNs. In particular, we have expressed two 
timed security properties as instances of tGNDC: timed integrity and timed agreement. 

We have formally proved that the bootstrapping phase of /iTESLA and the single-hop 
pairwise shared key mechanism of LEAP+ enjoy timed integrity, and that the authenticated- 
broadcast phase of /iTESLA enjoys both timed integrity and timed agreement. On the other 
hand, we have provided three different replay attacks showing that the bootstrapping phase of 
//TESLA and the single-hop pairwise shared key mechanism of LEAP+ do not enjoy timed 
agreement, and LiSP does not satisfy neither timed integrity nor timed agreement. The two 
attacks for juTESLA and LEAP+ are somehow similar as they both delay the reception of the 
initial packets of the protocols. The attack on LiSP delays the reception of an intermediate 
packet which is required for the completion of the protocol. 

The present work is the continuation and generalisation of JH, where a slight variant of the 
calculus was introduced, and an early security analysis for the authenticated-broadcast phase of 
juTESLA and the single-hop pairwise shared key mechanism of LEAP+ was performed. In [38 ] 
the calculus aTCWS has been used by the last author to analyse the LiSP protocol. The design 
of our calculus is strongly inspired by tCryptoSPA [15 ], a timed "cryptographic" variant of 
Milner's CCS l|26l . 

The tGNDC schema for tCryptoSPA, has already been used by Gorrieri et al. lfl6l to study 
several security protocols, for both wired and wireless networks. In particular, they studied 
the authenticated-broadcast phase of pTESLA, proving timed integrity. The formalisation for 
yuTESLA we have proposed here is much less involved than the one of [16] thanks to the 
specific features of our calculus for broadcast communications. 

Several process calculi for wireless systems have been recently proposed. Mezzetti and 
Sangiorgi [21] have introduced a calculus to describe interferences in wireless systems. Nanz 
and Hankin IT281 have proposed a calculus for mobile ad hoc networks for specification and 
security analysis of communication protocols. They provide a decision procedure to check se- 
curity against fixed intruders known in advance. Merro l24ll has proposed a behavioural theory 
for mobile ad hoc networks. Godskesen Ifl4ll has proposed a calculus for mobile ad hoc net- 
works with a formalisation of an attack on the cryptographic routing protocol ARAN. Singh 
et al. [35] have proposed the a>-calculus for modelling the AODV routing protocol. Ghassemi 
et al. ifTTl 12] have proposed a process algebra, provided with model checking and equational 
reasoning, which models topology changes implicitly in the semantics. Merro and Sibilio EBl 
have proposed a timed calculus for wireless systems focusing on the notion of communica- 
tion collision. Godskesen and Nanz [13] have proposed a simple timed calculus for wireless 
systems to express a wide range of mobility models. Gallina and Rossi [9] have proposed a 
calculus for the analysis of energy-aware communications in mobile ad hoc networks. Song 
and Godskesen [36] have proposed the first probabilistic un-timed calculus for mobile wireless 
systems in which connection probabilities may change due to node mobility. Kouzapas and 
Philippou [ 20 ] have proposed a process calculus for dynamic networks which contains features 
for broadcasting at multiple transmission ranges and for viewing networks at different levels of 
abstraction. 
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Recently, Arnaud et al. [ 3 ] have proposed a calculus for modelling and reasoning about 
security protocols, including secure routing protocols, for a bounded number of sessions. They 
provide two NPTIME decision procedures for analysing routing protocols for any network 
topology, and apply their framework to analyse the protocol SRP [30] applied to DSR lfT8l . 

The AVISPA model checker [2] has been used in B51 for an analysis of TinySec lfl9l . 
LEAP fl42l . and TinyPK fill , three wireless sensor network security protocols, and in 11391 
for an analysis of the Sensor Network Encryption Protocol SNEP [32]. In particular, in fiOl 
the authors considered the communication between immediate neighbour nodes which use the 
pairwise shared key already established by LEAP. In this case AVISPA found a man-in-the- 
middle attack where the intruder may play at the same time the role of two nodes in order to 
obtain real information from one of them, thus loosing confidentiality. 

It is our intention to apply our framework to study the correctness of a wide range of 
wireless network security protocols, as for instance, MiniSec [23], and evolutions of LEAP+, 
such as R-LEAP+ O and LEAP++ |22|. 
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A Proofs 

Proof of Proposition 12.41 We single out each item of the proposition. 

Item 1. The forward direction is an instance of rule (RcvEnb), the converse is proved by a 
straightforward rule induction. 

Item 2. The forward direction follows by noticing that only rules (RcvEnb) and (RcvPar) are 
suitable for deriving the action mlw from M\ \ M2, in the case of rule (RcvEnb) we just apply 
rule (RcvEnb) both on M\ and on M2, in the case of rule (RcvPar) the premises require both Mi 
and M2 to perform an action m?w and to move to N\ and N2 with N = Ni | A^- The converse 
is an instance of rule (cr-Par). 

Item 3. The result is a consequence of the combination of rules (Snd) and (Beast) and it is proved 
by a straightforward rule induction. 

Item 4. Again, the proof is done by a straightforward rule induction. 

Item 5. The forward direction follows by noticing that the only rule for deriving the action o~ 
from M\ I M2 is (cr-Par) which, in the premises, requires both M\ and M2 to perform an action 
<r. The converse is an instance of rule (cr-Par). □ 
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Proposition A.l If M x N then nds (M) = nds (AT). 

Proof By contradiction. Assume there exists a node m such that m e nds (M) and m £ 
nds(A0. Then, by rule (RcvEnb), A" — — » N. Since M ~ N there must be M' such that 
M mAV > M' with M' x N'. However, since m e nds(M), by inspection on the transition 
rules, there is no way to deduce a weak transition of the form M : > M' . □ 

Proof of Theorem 12.121 We prove that the relation 

<R = { (M | O, N | O) s.t. M « N and M \ O, N \ O are well-formed } 

(X 

is a bisimulation. We proceed by case analysis on why M \ O — > Z. The interesting cases are 
when the transition is due to an interaction between M and O. The remaining cases are more 
elementary. 

Let M | O > M' | O' (y # 0) by an application of rule (Obs), because M \ O > 

M' | O' , by an application of rule (Beast). There are two possible ways to derive this transition, 
depending on where the sender node is located in the network. 

m\wt>n mlw 

1. M > M and O > O , with m e nds(M) and v = n \ nds(O). By an 

\w>ft 

application of rule (Obs) we obtain that M > M . Since M ~ N,it follows that there 

'wt>/i 

is N' such that > N' with M' « N' . This implies that there exists h e nds (AO 

such that Af = :> A^'. Moreover: 

(a) h i nds (O), as A^ | O is well-formed and it cannot contain two nodes with the same 
name; 

(b) iu c ngh(/j, A), by Proposition E3H3]); 

(c) If £ /u n nds (O) then h e ngh(/c, O), as the neighbouring relation is symmetric. 

Now, in case O > O exclusively by rule (RcvEnb) then also O > O by 

rule (RcvEnb) and item (a). In case the derivation of O — > C?' involves some ap- 
plications of the rule (Rev) then the concerned nodes have the form k[[?(x).P]Q]' 1 with 

k e /u, hence h e ngh(&, O) by item (c), and so we can derive O — ■ — > O' by applying 
the rules (RcvEnb) and (RcvPar). 

hlw 

Thus we have O > O' in any case. Then by an application of rule (Beast) and several 

applications of rule (TauPar) we have Af | O hMX>v > A 7 | O' . As v £ 0, by an application 

of rule (Obs) and several applications of rule (TauPar) it follows that Af | O M " >v ; > N' \0' . 
Since M' « N', we obtain (M' \ O', N' \ O') e <R. 

mtw mlw>u, 

2. M > M' and O > O', with m e nds (O) and v = fi \ nds (M). Since M ~ N, 

it follows that there is N' such that N m '" > A^' with M' *JV'. By an application of rule 
(Beast) and several applications of rule (TauPar) we have N | O > N' \ O', with 
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V = fi \ nds(AT)- Since M « N, by Proposition lA.ll it follows that / = v + 0. Thus, 

by an application of rule (Obs) it follows that N | !w>v : > AT' | 0'. Since M' *iV', we 
obtain (M' | 0', A 77 | 0') € 7?. 

Let M | — > M' | 0' by an application of rule (Shh) because M | — ■ > W \ 0'. 

This case is similar to the previous one. 

Let M | — ■ — > M' | O by an application of rule (RcvPar) because M — — > M' 

and m ' W > 0'. Since M « N, it follows that there is N' such that A 7 m?w > A 7 ' with 
M' « A 7 "'. By an application of rule (RcvPar) and several applications of rule (TauPar) we have 

N | =^> A 7 ' | 0'. Since Af' a N', we obtain (Af' | O', N' \ O') e R. 

Let Af | —> Af' | 0' by an application of rule (cr-Par) because Af Af' and 0'. 
This case is similar to the previous one. □ 

Proof of Lemma f3. 11 1 We first note that a straightforward consequence of Definition l3.9l is: 

Top 00 = Top 00 I Top 00 

Then, in order to prove the result, we just need to show that 

(Mi I M 2 )JS I KwhWfl * ( Ml S I (^)g I Top^^ 2/nds(M) . 

To improve readability, we consider the most general case, that is 0\ = nds(Afi) and 2 = 
nds(Af 2 ). Moreover, we assume Afi - mi[Pi] Vl , Af 2 - m 2 [P 2 Y 2 and therefore SK\ - {a\}, 
&2 = The generalisation is straightforward. Then we have: 

. (Mi I M 2 f ^ = rndPift I m 2 [P 2 r'2 

with {ci\,obs} c v' c {a\,m 2 ,obs} and {a2,obs} Cy^c {a 2 ,mi,obs}; 

• Mf 1 - mi[P 1 ] v " with V[ = {ai.ofo}; 

• Mf 2 - m 2 [P 2 ] v 2 with y£ - {a 2 ,ofe}- 

We define P = {mi, m 2 } and = {a\, a 2 ). We need to prove 

mitPjfi I m 2 [P 2 ] v 2 I Top^ < mdPiY" I m 2 [P 2 ]^' | Top% p . 
We prove that the following binary relation is a simulation: 

K = f U/>o I ( mlQiY't I m 2 [0 2 f2 I N , mdQiY" I m 2 [Q 2 ] v '2 | Tot*' ) 



)j>0 H m lLkriJ 1 I '»2L»^2J '"ILkTlJ 1 I '«2L»^2J 4 I iur j?|/^ 

such that mi [Pi ] v 'i | m 2 [P 2 ] v 
for some A with #°"(A) = 7 } 



such thatmiCPif. I m 2 [P 2 ] v 2 | Top% p =4* mdQiP I m 2 [0 2 ] y 2 | N 



We consider (mi[0i] v i | m 2 [Q 2 Y 2 I A 7 , mi^ifi | m 2 [0 2 ] v 2 | Top^ /p ) € <R and we proceed 
by case analysis on why mi[0i] y i | ra 2 [0 2 ] v 2 | N mi[0i] Vl | m 2 [0 2 ] y 2 | A 7 . 
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mlw . This case is straightforward. In fact, the environment of the system contains exclus- 
ively the node obs which cannot transmit; thus the rule (Rev) cannot be applied. We can 
consider just the rules (RcvEnb) and (RcvPar), which do not modify the network. 

cr. Then m,-[gi] v ' m\.QA v '' (for i = 1,2) and N N. Now also Top^ /f> 
TqpJJJ,, hence miteif" I m 2 [<2 2 ] v 2 | Top^ mjt^f" I m 2 [Q 2 ] v 2 | Top^. 

!wt>v. We observe: (i) the environment of the system contains just the node obs and (ii) 
Env(A0 = {mi,m 2 }. Thus there exists i e {1,2} such that the transition has been derived 
just by rule (Obs) from the following premise 

mi[<2i] v > I m 2 [Q 2 ] v 2 | W """^ . m^Q^ I m 2 [Q 2 ] v 2 \ N . 

Without loss of generality we assume i - 1, then we have mi[2i] v ' > w?i[<2i] v >, 

wnVQiY 2 — W > ni 2 [Q 2 ] y 2 and AT > A". Now, to prove the similarity, we need 

to simulate the mi?w-action at the node m 2 [Q 2 ] v 2 which cannot actually receive pack- 
ets from m\ v 2 \ We first observe that the message w can be eavesdropped by an 
attacker at the time interval j, thus w e D((pj) thanks to time-dependent stability. Then 

^ op % P a2 - wt>m2 > Top^ /? >. Since a 2 e v' 2 ' we have m 2 [Q 2 ] v '2 " 2 ' w > m 2 [Q 2 ] v '2 . Finally 

ft (X^p.W " 

mdQiY 1 — ■ — > "il[<2l] Vl by rule (RcvEnb). Thus by applying rule (Beast) we obtain 

mdQiY" I m 2 [Q 2 f2 | Top% p mdQif" I m 2 [Q 2 ] v 2 \ Tor% p 

and by rule (Shh) m x \Q\\ v " I m 2 [Q 2 f2 \ Top% p =Z* m^Qif" I m 2 [Q 2 ] v 2 \ Top% p . 

„ mi\w>V( „ „ „ „ mi ? w 
Nowmi[2i] i > ntilQi] • and by rule (RcvEnb) we have both m 2 [Q 2 ] 2 > 

m 2 [Q2T 2 and Top^p '"''"') Top ^ /? >- Thus 

mi[fii] Vl I m 2 [e 2 ] V2 I Top^ — ! > mdQifi I m 2 [Q 2 ] v 2 \ Tor% p . 



t. The most significant case is an application of rule (Shh), from the premise m\[Q\Y l 

\ n V 2 



m 2 [Q 2 ] v 2 I N m ' !w>0 > mi[(2i] v 'i I m 2 [Q 2 ] v 2 | N. Since ofe e v' n v' the broadcast 



ajlwt>mi * 

action must be performed by N; thus there exists i e {1,2} such that N > N 

and milQiY' a " W > m;[2;] V; , for Z = 1,2. Now also Top^ /p a ' !tt,t>m ' > Top^ /!P and 

miQtY" -^U mAQtf', for / - 1,2. Thus m^Q^ I m 2 [e 2 ] v 2 I Top% p -U 
mi[ei] v " I m 2 [<2 2 ] v 2 I Top^ . □ 
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Lemma A. 2 If M is time-dependent stable with respect to a sequence of knowledge {(f>j}j>o, 
!h is a set of attacking nodes for M and O c nds (M) then 

M$\A < Mq I Top^ /nds(M) foreveryAeA% ndsm . 

Proof We prove the lemma in the most general case, that is O = nds (M). Then we fix an 
arbitrary A € A^ nds(M) and we define the proper simulation as follows: 

K = U;>o {{M'\ A', W | Top^ /nds(M) ) s.t. M*\A^M'\A' with 

nds (MO = nds (M m ) and #°"(A) - j } 

We let (AT | A', M' | Top^ /nds(M) ) e <R. We make a case analysis on why M'\A' N. 
a = mlw. As for Lemma l3.11[ this case is straightforward. 

a = cr. Then N = M" \ A" with M' M" and A' A". Now also Top^ /nds(M) -^> 

Top ^/nds(M) b y rule (°~- Sum X hence b y rule (o-Par) we have M' | Top^ /nds(M) M" | 
Top^ +1 

a = !w>v. Since the environment of the system contains just the node obs, the transition has to 

tnlw>obs 

be derived by the rule (Obs) whose premise is M' \ A' > Af. Since obs £ Env (A') 

m'w>y / 

then m e nds(M') and N - M" \ A" with M' — > M", {obs} = V \ nds (A') 

and A' A". Now we have TopJ /nds(M) Top^ /nds(W) by rule (RcvEnb). 

Hence M' | Top^ /nds(M) m ' w> ° bs > M" | Top^ /nds(M) by rule (Beast) and the fact that 

\w!>obs 
J?[/nds(M) > 



nds (A') = 3\ = nds(Top^ /nds(M) ). Finally, by rule (Obs): M' | Top% 



M" I Top 

a = t. The most significant case is when t is derived by an application of rule (Shh), then we 
have M' \ A' a - w> ® > jy an( j a e nds(A') = J{ since the broadcast from any of the 
nodes in nds (M') = nds can be observed by the node obs. In this case we have 

M' M" and A' — > A" where m is the single node of M attacked by a. Now 

<*,■ t a\w>m d>j . 

also Top^ /nds(M) — > > Top ja/nds(M) b y rules ( Tau ) and ^ Snd ^ smce tne attackm g 

node associated to m does not change and msg(A') c D(<pj). Hence, by rule (Beast): M' \ 

iUF 7l/nds(M) • iw 1 iUF j?(/nds(M)- inus iw 1 1 ui j?[/nds(M) ^ JKJ 1 1 ul \?(/nds(M) 

by rule (Shh). □ 

Proof of Theorem |Xl2] By Lemma [A2] we have \ A < M^O | Top^° /nds(M) for every 
A e A^ /nds(M) . Then by transitivity of < we have M m O | A < N for every A e <^y ndS ( M ) an d 
we conclude that M is tGNDC 1 ! n . □ 
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Proof of Proposition 14. 11 By induction on i we show that whenever bs[Di ] Vbs ^> bs[D ! ]°'" or 
m[A l f hs =^> m[Ai] obs then F"(A) = 2(i - 1). Moreover, we observe that \p\>obs can be per- 

formed exclusively because ra[A ; ] >. While !end,->0&y can be performed exclusively 

because bs[D ; ] o/w ^ - — '-^U with #^0 = 2. Hence we deduce that: 

1. if m[Ai] ofa ==> — > then #^(A) - 2(i - 1). 

2. if ^ !end ' >ofa ) then #-(A) = 2i. 

Now, the result is a straightforward consequence of these two properties. □ 
Proof of Theorem !4.2I The system (j/TESLA', ^ \ A performs the following computation: 

\pi>obs 



bs[D^] v » s I m[Ai] v "' | A 
bs[D'j] v - I m[o:B 1 Y m I a[(r.!<pi>.nil] v - I b[Y] n 
Bs[cr.D' 2 Y BS I m[Bi] v ™ | a[\( Pl ).n\\Y a I b[l?(y).cr.\(y).ri\\\ri\\f 
bs[o-.D' 2 ] v °» | m[Bi] v ™ | a[ri\\] Va I ^[cr.!</7 1 ).nil] v * 
bs[D1] Vbs I m[A 2 ] Vm | a[nil] v " | &[!<pi>.nil] 



>7> 



bs[^{Pi//?}] Vbs I m[A 2 ] v '" | a[nil] Vfl | &[nil] Vi 
bs[££{/>i//>}] v " | m[o-.B 2 Y m | a[nil] Vfl | b[ri\\] Vb 



Bs[l(Wi).G' 2 {Pi/p}] v ™ | m[B 2 ] v '» | a[nil] v " | b[ri\\] v » 

inrl.\ r. 

Hence agreement is not reached. 



bs[E* {«i/n}] Vos | m[C 2 { w i/w}Y m \ a[m\Y" I £[nil] yfc 
Bs[!(endi).D:] v - | m[A 3 ] v '" I a[nil] Vfl I b[ri\\Y" 



! p2 >oii 
> 



!vi'i >ofc.s 
> 



!endi>ofei 
> 



Proof of Lemma 14^41 We provide the proper simulation in both cases. 
Case 1: Base Station. To show that bs[Di]* | Top^ bs < Bs[Tickf we define the relation 

n d = j ( M, Bs[Tickf ) such that bs[Di] w | Top^ bs ^> M 

We first notice that for every ( M, Bs[Tick]® ) £ K we have Env (M) - . Thus the most 
significant actions can only be M — » or M — » or input actions that can be derived without 
applying rule (Rev). Then it is straightforward to prove that % is a simulation. 

Case 2: Node. To show that m[A"] [a ' abs] | TopJ° m < m[AiY bs we pick an index i > 1, 

the messages vv, w',w" and we build a relation H^w' ,w,w") containing the pair (ra[A"] (a ' ofe| | 

T° p a/m m [-^!']° fa ) a l° n g with its derivatives which may be generated when m receives vt> from 
the attacker. To improve readability: (i) we abbreviate the process R(i + ±,ki-\) simply 

as R(, (ii) we employ the structural congruence = to rewrite A,- as: 

Ai = f \{p i ).cr.B i Bi = f Lt.C,-JA, +1 Q = f (r.Kauth,).^ . 
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Then we define K^w' , w, w") to be the following binary relation: 

{(m[A';t> obs] I Top^- 1 ', m[A«r fo ) , (m[A'/]^ \ a[\(w').^ 2(i _ V) ] m , m[A ; ]^) , 
[mW.B'/t^ | Top^- 1 ', m[<r.B i r bs ) , ( m\_CT.B'!t" bA I a\\{w')^^\ m[cr.B,] ofa ' ) , 
( m[B »]{^} | TopJ; 1 , mm° bs ) , (m[B'/t>° bs] I a[\{w).7^T\ m[B,] ofa ) , 
(m[r/ w }C;'] |fl ' otol ITopJ; 1 , m[B i T bs ), (m[{%}C'/] la ' obA \a[\{w).T <hi _ l \ m , m[B i \ obs ) , 
(mtKauth,)./?,]'^ 1 |Top^ m , mtKauth,)./?,]^) , 
(mtKauth,)./?,] 1 ^ 1 |a[!(w").T fc r, m[l(au\h i ).R i r bs ) , 

(m[Ri] {a ' obs] | Top^, mt/?,]^), (m[/? ( -] |fl ' ofal |a[!<w">.T fc ] m !(w")., m[/?i] ofa ) } - 

Now we notice that both the process Rj and its derivatives cannot perform any broadcast ac- 
tion. Moreover, the network m[/?,] |a ofo,si | Top^, along with its derivatives, can perform 
just r-actions, cr-actions or input actions derived without applying rule (Rev). Then it is 
straightforward to prove that there exists a simulation Ki containing the pair (m[/? ! ] |a ofo ' sl | 
Top^ , m[Ri] obs ). 

a/m' L 11 ' 

We show that the required simulation is given by the following relation 

n d = \J (% u |J %{w',w, w ")) . 

!>1 W € 2Xfc(i-l)) 

W € 2X<fe-l) 

w" e 2>0fe) 

We outline the most significant cases. We omit input actions since the environment contains 
exclusively the node obs which cannot transmit, thus all input actions can be derived just by 
combining rules (RcvEnb) and (RcvPar). We also omit internal choices of the attacker. 
In the pair ( m[A'/] {a ' obs] | Top^" , m[Aif bs ) we have a single significant action: 

• m[A"] {a ' obs) | Top f, f- 1) [p,> ° bS ) m[o-.B'.T' obs] | Tap*? W) . Then the second network 

L i 1 1 a/m L i 1 1 a/m 

replies with m[A ; ] ofev '^"^ > m\_a.BA obs . 
In the pair (m\p-.B'!^ afibA | Top^ 1 ' , m[o-.Bi] obs ) we have a single significant action: 

• m[o-.B"] {a ' obs] | Top^ (,M) m[B"] la ' obs] | Top^'" 1 . Then m[(r.Bi\ obs m[B~i]° bs - 

i 1 a/m L i J 1 a/m l u l u 

In the pair (m[B' j '] la ' obs] | Top^ 1 , m[cr.Bif hs ) we have a significant action: 

• m[B"] {a ' obs} | Top^' 1 m[A''] {a ' obs} | Top** where m does not receive anything 

L i J 1 a/m L i+l J 1 a/m J ° 

thus performs a timeout. Then m[Bj] ofa m[A ;+ i] oto . 
In the pair (m[B;'] {a ' ofa| | a[!<w>.T te _ I ] m , m[cr.B,] ofa ) we have two significant actions: 

• m[B' i '] {a ' obs} | a[!(vv).T fe _ 1 ] m m[{%}C;'] |fl ' ofol | TopJ; 1 where m receives vv. Then 
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• m[fi;'] la ' 0/w| I a\_\(w).T hi _ { ] m m[B'/] {a ' obs] | Top^ 1 where w gets lost. Then the 
second network m[a.Bif bs => m[cr.Bif bs . 

In the pair (m[{%}C?] [a > obs] | TopJ 2 ^ 1 , m[Bif bs ) we have two significant transitions 

• m[n w }C'/] {a ' obs] | TopJ; 1 m[!(auth i )./? ; -] |fl ' ofa| | Top^ where m verifies the MAC 
of the message w, checks that the nonce included in w is actually and then it authen- 
ticates the key k^. Then m[Bi] obs ==> m[!(auth ; >./?,] ofe . 

• m[{7 w }C;'] k '' ofe$l | Top^ 2 ;;/ mtA;^]' ' ^ 1 I Top^ m where m does not verify the MAC 
of the message vv, thus it cannot check that the nonce included in vv is actually n { , or in 
general it finds out that the message is corrupted. Then m[Bj\ obs => m[Ai+i] obs . □ 

Proof of Proposition 14.61 Similar to that of Proposition 14. II □ 

Proof of Lemma l47l We provide the proper simulation in both the cases. 
Case 1: Base Station. We notice that the process Si, along with its derivatives, cannot receive 
any message. Thus an attacker in b cannot affect the behaviour of bs[S i]^ b,obs ^ . Hence it is 
straightforward to prove that bs[S i] [b ' obs] \ Toif < bs[5 if bs . 

Case 2: Nodes. We fix a node m e {m\, . . . ,m/,j, we let a e [a\, . . . ,an} denote its correspond- 
ing attacking place and we show that 

m[R'(l,-l,±,k)] {a '° bs] I Top*, < mmf* . 

def - 

To uniform the notation, we define k-\ - k. We pick the indexes i > 1 and -1 > I > i - 2, and 

A 7 ft y\ 

the messages r, p, k and q. Then we build the relation <R: (p, k, q) which contains the pair 



(mVR'iUSMt' ^ ITop^" 1 ' , mW^) 



along with its derivatives which may be generated when m first receives p and then k from the 

def 

attacker. To improve the readability: (i) we define v' m = {a, obs), (ii) we employ the structural 
congruence = to rewrite the process Rj as: 

A Hpf A A Hpf A JS ^ Hpf A 

Ri = o~ .P; Pi = \r.o-.Z M \R i+l Zi = !<auth,_ 2 >./?,- . 
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Then we define 

H'f(pXq) = {(m[R\ijrrMY»- \ To?* a f m \ m[^,] ofa ) , 

(m[R'(i,l,r,ki)f» I aD^.T^r, m[Ri]° bs ) , 
{m[o:P'{i,l,p,f,h)Y m ITop^- 1 ', m[^-] ofo ) , 
(m[o-.P\iJ,p,f,k l )Y-\a[\(p).T^ ) r, m[Rif bs ) , 
{m[P'{i,l,p,f,h)Y m ITop^ 1 , m[A-] oto ) , 
(m[P , <i,/,A?,*/>] / " laEK^.T^r, m[A-]° to ) , 
( m[T'(i, I, p, f, ki, k)Y m I Top ^' ' "I^T**) > 
(jn[r<i,Z,^,P,*i,i>] / - | a[!<fe).T te .J m , m[P,] 0/w ) , 
(m[G'<i,/,*, ITopJ; 1 , m[Ar to )) , 
(i»[fi'<i,/,?,*/>] v '-|a[!<J>.T fe _ i r, m[A-] ofo )) , 
(m[Z'<i+l,i-l,A?,ti)] v » |TgpJ w , m[Z ; - +1 ] ofo ) , 
(iFi[Z'<i+l,i-l,M*i-i>] / - I «[!<§>.T fe r, m[Z !+1 ] ofe )} . 

and we show that the required simulation is given by the following relation 

^ = U U U 

i>l -l</<;-2 p 6 2X02(,--1)) 
r € £>«*2(i-2)) J e 2)(fe*_l) 

As done for Lemma 14.41 we outline the most significant cases. Again, we omit input actions 
and internal choices of the attacker. 

In the pair ( m[R'(i, I, r, ki)Y m I Top^~", m[Rj] ohs ) we have a significant action: 

• m[R'(i, I, r, ki)Y m I Top^ _1) —* m[Q'(i,l,r,ki)] v "< | Top^ 1 , where m does not receive 
anything. Then m\_Ri\ ohs m[P ; ] ofev - 

In the pair ( m[R'(i, I, f, ki)] v "< | a\_\(p) .T ^ ■_ 1) ] m , m[P,] ofo ) we have two significant actions: 

• m[R'(i,l,f,ki)Y" I aVm.T^T mEtr^U^,?,*,)] 14 I Top^ 15 , where m re- 
ceives p from the attacker. Then m[Rj]" bs => m[P ; ] ofcs . 

• m[R'(i,l,r,ki)Y" I a[!<p>.T 02 ,_ 1) ] m m[R'(i,l,r,k,)Y" I Top^ 1 ', where p gets lost. 
Then m[Ri\ ohs => m[R i \ obs '. 

In the pair ( m[cr.P'(i, I, p, f, ki)Y m I Top^ 1 ' , m[Pi] ofo ) we have just a significant action: 

• m[(T.P'(i,l,p,r,ki)Y m I Top^" m[P'{i,l,p,f,ki)Y m I TopJJ 1 . Then the second 
network replies with m\Rif bs m^] **. 
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In the pair ( m[P'{i, I, p, r, ki)Y m I Top^ 1 , m[Pi\ obs ) we have just a significant action: 

• m[P'(i,l, p,r,ki)] Vm | Top^ 1 -^-> m[R'(i+l, l,p,ki)Y m I Top^? , where m does not 
receive anything. Then m[P,] ofev ra[P i+ i] oto . 

In the pair (ra[P'(z, l,p, f,ki)Y m I fl[!(^).T^ a _ 1 ] w , m[P,] ofes ) we have two significant actions: 

• m[P'{i,l,p,r,ki)Y n I a[!<£>.T te _ 1 ] m m[T'{i,l,p,r,ki,k)Y"> I Topfg 1 , where m re- 
ceives ic. Then the second network replies with m[Pj] obs m[Pj] obs . 

• m[P'<i f /,p,r,* l >r'» I a\_\(k).T^T -U m[P'{i,l,p,r,k)Y" I Top^\ where £ gets 
lost. The second network replies with m[Pi\ obs m[P,] ofes . 

In the pair ( m[T'{i, I, p, r, ki, k)Y m | Top^ 1 , m[P,] ofev ) we have three significant actions: 

• m[T'(i,l,p,r,ki,k)Y" I Top^ 1 m[Z'{i+\,i-\,p,f,k i -i)Y'" I Top^ where m 
checks that ki = F'' -1-i (^) and authenticates r = Then m[Pif bs =^> m[Z M f bs . 

• m[T'{i,l,p,r,ki,k)Y" I TopJ; 1 m[P'<*+l, p, k^Y" I TopJ^ where m checks 
that A:/ = F l ~ l {h) without but it does not authenticate r. Then m[A] ofe ==> m[P !+ i] ofej . 

• m[T'(i,l, p,r,ki,k)] Vm | Top^ 1 m[R'(i+l,l, p,ki)Y m | Top^' m where m verifies 

* F'-'ih). Then again m[Pj] ofo =^> m[R M f bs by timeout. 

In the pair ( m[Q'(i, I, r, ki)Y m | Top^ 1 , m[Pi\ obs ) we have a significant action 

• fn[Q'(i, I, r, ki)Y m | Top^ 1 —* m[R{i+l,l, r, ki)Y m | Top^, where m does not receive 
anything and thus performs a timeout. Then m[Pi\ obs => m[Rj + i] obs . 

In the pair (m[Q' \i,l,r,ki)Y m I a[\{k)J <hi _J n , m[P,] ofo ) the first network can perform two 
significant actions 

• m[Q'(i,l,r,ki)Y m | a[K&).T0 2 ._ 1 ] w — m[T{i,l,r,r,ki,k)Y"' I Top^' , where m receives 
k. Then the second network replies m[Pi\ obs => m[P,] ofa . 

• m[Q'(i,l,r,ki)Y™ I a[!<fc).T fe .. 1 ] m m[P(/+l, Z, f, fc>]* | TopJ; 1 , where £ gets lost. 
Then the second network replies m[Pj] obs => m[Pi\ obs - □ 

Proof of Proposition 15.1 1 Similar to that of Proposition 14. 1 1 □ 
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Proof of Theorem 15.21 The system (LEAP+)- 51 | A admits the following computation: 

r „ ,,. , , !helloi>ofo 
m[S i] v "' | r[R'] Vr I A > 

m[(T.P] v "' | r[R'] Vr I a[cr.!(helloi>.nil] Vfl | b[Y] v " 

m[P] Vm | r[cr./?'] v ' | a[!(hellOi).nil] Vfl | ^[L?(^) o-- !<^> nil] V6 -U 
m[{ hello 1/?}/J l-|V m | r[cr /? ']v r | a[nN jy fl | £[ cr .!(hellOi).nil] Vi ' 

m[5 2 ] v ™ I r[/?T r | a[nil] Va | ^[!<helloi>.nil] v " -A 

m[S 2 ] Vm I r[(r.!^i)./? 8 '] Vr I a[nil] Va | b[n\\] Vb 
mlo-.PY'" | r[cr.!<^i)./? 8 '] Vr | a[nil] Vfl | ft[nilp 

m[P] v '» | r[\( qi ).R 8 '] Vr | a[nil] Vfl | b[ri\\] n 
m[{%}Pi] Vm | r[/? 8 '] v ' | a[nil] v « | ^[nil]^ 

m[S 3 ] Vm | r[!<endi).nil] v ' I a[n\\Y" | &[nil] v * 

Then agreement is not reached. 



!hell02i>ofo 



\qi >obs 



lentiioobs 



Top " < m[S l ] obs . 

a/m 



Proof of Lemma 15^41 We prove this lemma by showing the appropriate simulations. 
Case 1: Sender. We define v' m - {a,obs}. We need to prove m[S \Y 

Thus we fix an index i = 1,2, . . ., we pick the messages q' e D((p2(i-i)) and q e D((f>2i-\), 
and we build the relation %{q\q) containing (m\S'?Y m I Top^", m[§i\ obs ) along w 
derivatives which may be generated when m receives q from the attacker. 

def U m[S' i 'Y' m |Top^", m[Sif bs ) , 

t[cr.P"Y m I Top^^ 1 ', m[ ( r.[r. ( r.\(aut[\ i ).n\\\S i+l r bs ) , 
m[o-.P"Y"' I a[\{q').T (j)2{j _ l) Y 1 , m [cr.LT.a-.!<auth ! >.nilj5 I+1 ] ofe ) , 
'm[P"Y'" ITopJ; 1 , m[Lr. ( T.!(auth ! ).nilj5 ;+1 ] ofa ) , 
'm[P"]<\a[l(q).T lh ,_ i r, m[LT.^.!<authA.nilJS, +1 ] o/w ) , 



%wr q ) d = j 



m[{%}P l "Y'»- ITopJ; 1 , m[Lr. ( r.!<auth I ).nilJ l S !+1 r fa ) , 
m [{%}pi"f" | atK^.T^.,]" 1 , m[Lr.(r.!<auth,>.nilj5 i+1 ] oto 
m[!<auth i >.nil] v - I Top^, m[!(auth ; ).nil] 0&? ) ) . 



)■ 



Moreover, it is straightforward to prove that there exists a simulation Hi containing the pair 
(m[!(auth ( ).nil] y -» | Top^, m[!<auth I ).nil] ofa ). 

Then we show that the required simulation is given by the following relation 



def 



|J (% U |J K,(q',q)) . 



i>l 



q' e £>(<fe<i-i)) 
q e £>(<fc-l) 



As done for Lemma l4~4l we outline the most significant cases. Again, we omit input actions 
and internal choices of the attacker. 
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In the pair ( m\S' i 'Y m | Top^ >} , m[Sj] ohs ) we have a significant action: 

• m[S"] v ' m I Top^ (i_1) !hello ' t>ofa ) m[a-.P"] v '" I Top^ 1 ', where m broadcasts the packet 

L ( J 1 a/m L J 1 a/m ' r 

hello,-. Thenmt^] afa !hell0 ' >ofa ; , m[cr.Lr.(T.!<auth ; ).nilj5 !+1 ] o/w . 
In the pair ( m[cr.P"] v >" I Top^", m[cr.LT.cr.!(auth,).nilj5 i+ i] oto ) we have a significant action: 

• m[o-.P"] v ' m I Topjl; m[P"] v '" | Top^; 1 . Thenm[cr.LT.(r.!(auth,).nilj5 I+ i] oto =^> 
m[Lr.(r.!(auth ; >.nilj5 ;+ i] oto . 

In the pair ( m[P"] v '" | Top^ 1 , m[Lr.cr.!(auth ! ).nilj5 ;+ i] ofo ) we have a significant action: 

• m\P"Y m I Top^'" 1 m\S'.',,Y m I Top^' , where m does not receive anything and 

L J 1 a/m L !+l J 1 a/nv ■> ° 

performs a timeout. Then m[LT.cr.!(auth/).nilj5 ;+ i] ofa =^> m[S i+l ] obs . 
In the pair ( m[P"f' m I a[!<$>.T0 2i _ 1 ] m , m[LT.cr.!(auth 1 ).nilj5 I+ i] oto ) we consider two actions: 

• m[P"Y m I a[!<^)-T fo _ 1 ] m A m[{%}P 1 "] v <" | TopJ^ 1 , where m receives §. Then the 
second network replies m[LT.cr.!(auth,).nilj5, + i] ofo => m[LT.cr.!(auth ( >.nilj5, + i] ofo . 

• m[P"] v "' | a[!(§).T te . 1 ] m m[/ 5 "] v '" | TopJ^ 1 , where § gets lost. Then the second 
network replies m[LT.cr.!<auth ! ).nilj5 ;+ i] ofa => m[Lr.cr.!(auth ; ).nilj5 ;+ i] ofa . 

In (m[{%}/ ,1 "] v '" I TopJ^ 1 , m[Lr.cr.!(auth ! ).nilj5 i+ i] oto ) we have two significant actions: 

• m[{%}P l "Y m I Top^ 1 m[!(auth I >.nil] v '» | Top^ m , where m verifies that § refers to 
the nonce n t . Then m[Lr.cr.!(auth ! ).nilj5 i+ i] oto =^> m[!(auth,).nil] oto . 

• fn[{^/q}P l "Y m I Top^ 1 — > m\S'f +i Y m I Topf?, where m verifies that § does not refer to 
n h or it finds out that q is corrupted. Then m[Lr.cr.!(auth ; ).nilj5 !+ i] o/w =^> m[S i+] ]° bs . 

Case 2: Receiver. Similar to Case 1 of Lemma |4~41 □ 

Proof of Proposition 16.1 1 Similar to that of Proposition 14. II □ 



50 



Proof of Theorem 16.21 The system (LiSP')^ | A admits the following computation 



m[Z] Vm | kl[Lo] Vkl I A 
m[cr.W] v '" | KL[cr.{7 r }/i] VK1 | A 

m[W] v "< | kl[{7,-}/i] Vkl I a[(r.L?(x).tr.!(^).nilJnil] Vfl | ^[L?Cy).cr. !<y>.nil J nil] v ' J 
m[W] v '» | kl[ct.Li] Vkl I a[cr.L?(x).cr.!<x>.nilJnil] Vfl | b[(T.\(q Y ).m\\ Vh 
m\Zf m | kl[L!] v - I a[L?(x).cr.!(x>.nilJnil] Vfl | K^i > nil] v * 

m[Z] Vm | KL[(r.{ q[ IAhf^ I a[(r.!(<7i>.nil] Vfl | b[n\\] Vb 
m[o-.W] Vl " | KL[cr.{^/r}/2] v " L I a[<r.\(q l ).ri\\] Va | ^[nil] v ' J 
m[W] v '» | KL[{ c ' l / r )I 2 ] v ^ | a[\( qi ).ri\\] Va | b[ri\\] Vb 
m[(r.{ qi l q }f^Y m I kl[{^/,-}/ 2 ] v - I £?[nil] y « | b[n\\] Vb 
mV.(aui[\ 1 ).cr.R(k2,k s+1 ,s- l)] y " | kl[L 2 ] v - | a[ri\\] v « \ b[ri\\] v » 



\r>obs 



]qi<>obs 



\r>obs 
a 

T 
0" 

!authi>ofo 



Then m signals the correct reconfiguration based on an old packet. 
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